[2.7] bpo-30730: Prevent environment variables injection in subprocess on Windows. (GH-2325) (#2372)
Prevent passing other invalid environment variables and command arguments..
(cherry picked from commit d174d24a5d37d1516b885dc7c82f71ecd5930700)
diff --git a/PC/_subprocess.c b/PC/_subprocess.c
index ffe8f41..f73d14f 100644
--- a/PC/_subprocess.c
+++ b/PC/_subprocess.c
@@ -352,7 +352,7 @@
p = PyString_AS_STRING(out);
for (i = 0; i < envsize; i++) {
- int ksize, vsize, totalsize;
+ size_t ksize, vsize, totalsize;
PyObject* key = PyList_GET_ITEM(keys, i);
PyObject* value = PyList_GET_ITEM(values, i);
@@ -363,10 +363,22 @@
}
ksize = PyString_GET_SIZE(key);
vsize = PyString_GET_SIZE(value);
+ if (strlen(PyString_AS_STRING(key)) != ksize ||
+ strlen(PyString_AS_STRING(value)) != vsize)
+ {
+ PyErr_SetString(PyExc_TypeError, "embedded null character");
+ goto error;
+ }
+ /* Search from index 1 because on Windows starting '=' is allowed for
+ defining hidden environment variables. */
+ if (ksize == 0 || strchr(PyString_AS_STRING(key) + 1, '=') != NULL) {
+ PyErr_SetString(PyExc_ValueError, "illegal environment variable name");
+ goto error;
+ }
totalsize = (p - PyString_AS_STRING(out)) + ksize + 1 +
vsize + 1 + 1;
if (totalsize > PyString_GET_SIZE(out)) {
- int offset = p - PyString_AS_STRING(out);
+ size_t offset = p - PyString_AS_STRING(out);
if (_PyString_Resize(&out, totalsize + 1024))
goto exit;
p = PyString_AS_STRING(out) + offset;