diff options
| author | Serhiy Storchaka <storchaka@gmail.com> | 2017-06-23 17:27:02 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-06-23 17:27:02 (GMT) |
| commit | a7c0264735f46afab13771be4218d8eab0d7dc91 (patch) | |
| tree | 3410a5a14d3019ab4b8dfb18455bf68088df1d85 /Lib/subprocess.py | |
| parent | f42ce179c8aaa7e211ac4123c58fa3dd9a452004 (diff) | |
| download | cpython-a7c0264735f46afab13771be4218d8eab0d7dc91.zip cpython-a7c0264735f46afab13771be4218d8eab0d7dc91.tar.gz cpython-a7c0264735f46afab13771be4218d8eab0d7dc91.tar.bz2 | |
[3.5] bpo-30730: Prevent environment variables injection in subprocess on Windows. (GH-2325) (#2361)
Prevent passing other invalid environment variables and command arguments..
(cherry picked from commit d174d24a5d37d1516b885dc7c82f71ecd5930700)
Diffstat (limited to 'Lib/subprocess.py')
| -rw-r--r-- | Lib/subprocess.py | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/Lib/subprocess.py b/Lib/subprocess.py index 614de40..8e44998 100644 --- a/Lib/subprocess.py +++ b/Lib/subprocess.py @@ -1200,8 +1200,12 @@ class Popen(object): # and pass it to fork_exec() if env is not None: - env_list = [os.fsencode(k) + b'=' + os.fsencode(v) - for k, v in env.items()] + env_list = [] + for k, v in env.items(): + k = os.fsencode(k) + if b'=' in k: + raise ValueError("illegal environment variable name") + env_list.append(k + b'=' + os.fsencode(v)) else: env_list = None # Use execv instead of execve. executable = os.fsencode(executable) |