[security][3.4] bpo-30730: Prevent environment variables injection in subprocess on Windows. (GH-2325) by serhiy-storchaka · Pull Request #2362 · python/cpython
Expand Up
@@ -606,6 +606,46 @@ def test_empty_env(self):
# environment
b"['__CF_USER_TEXT_ENCODING']"))
def test_invalid_cmd(self): # null character in the command name cmd = sys.executable + '\0' with self.assertRaises(ValueError): subprocess.Popen([cmd, "-c", "pass"])
# null character in the command argument with self.assertRaises(ValueError): subprocess.Popen([sys.executable, "-c", "pass#\0"])
def test_invalid_env(self): # null character in the enviroment variable name newenv = os.environ.copy() newenv["FRUIT\0VEGETABLE"] = "cabbage" with self.assertRaises(ValueError): subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
# null character in the enviroment variable value newenv = os.environ.copy() newenv["FRUIT"] = "orange\0VEGETABLE=cabbage" with self.assertRaises(ValueError): subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
# equal character in the enviroment variable name newenv = os.environ.copy() newenv["FRUIT=ORANGE"] = "lemon" with self.assertRaises(ValueError): subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
# equal character in the enviroment variable value newenv = os.environ.copy() newenv["FRUIT"] = "orange=lemon" with subprocess.Popen([sys.executable, "-c", 'import sys, os;' 'sys.stdout.write(os.getenv("FRUIT"))'], stdout=subprocess.PIPE, env=newenv) as p: stdout, stderr = p.communicate() self.assertEqual(stdout, b"orange=lemon")
def test_communicate_stdin(self): p = subprocess.Popen([sys.executable, "-c", 'import sys;' Expand Down
def test_invalid_cmd(self): # null character in the command name cmd = sys.executable + '\0' with self.assertRaises(ValueError): subprocess.Popen([cmd, "-c", "pass"])
# null character in the command argument with self.assertRaises(ValueError): subprocess.Popen([sys.executable, "-c", "pass#\0"])
def test_invalid_env(self): # null character in the enviroment variable name newenv = os.environ.copy() newenv["FRUIT\0VEGETABLE"] = "cabbage" with self.assertRaises(ValueError): subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
# null character in the enviroment variable value newenv = os.environ.copy() newenv["FRUIT"] = "orange\0VEGETABLE=cabbage" with self.assertRaises(ValueError): subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
# equal character in the enviroment variable name newenv = os.environ.copy() newenv["FRUIT=ORANGE"] = "lemon" with self.assertRaises(ValueError): subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
# equal character in the enviroment variable value newenv = os.environ.copy() newenv["FRUIT"] = "orange=lemon" with subprocess.Popen([sys.executable, "-c", 'import sys, os;' 'sys.stdout.write(os.getenv("FRUIT"))'], stdout=subprocess.PIPE, env=newenv) as p: stdout, stderr = p.communicate() self.assertEqual(stdout, b"orange=lemon")
def test_communicate_stdin(self): p = subprocess.Popen([sys.executable, "-c", 'import sys;' Expand Down