[3.5] bpo-30730: Prevent environment variables injection in subprocess on Windows. (GH-2325) (#2361)

Prevent passing other invalid environment variables and command arguments.. (cherry picked from commit d174d24a5d37d1516b885dc7c82f71ecd5930700)
author: Serhiy Storchaka <storchaka@gmail.com> 2017-06-23 17:27:02 (GMT)
committer: GitHub <noreply@github.com> 2017-06-23 17:27:02 (GMT)
commit: a7c0264735f46afab13771be4218d8eab0d7dc91 (patch)
tree: 3410a5a14d3019ab4b8dfb18455bf68088df1d85 /Lib/test/test_subprocess.py
parent: f42ce179c8aaa7e211ac4123c58fa3dd9a452004 (diff)
download: cpython-a7c0264735f46afab13771be4218d8eab0d7dc91.zip
cpython-a7c0264735f46afab13771be4218d8eab0d7dc91.tar.gz
cpython-a7c0264735f46afab13771be4218d8eab0d7dc91.tar.bz2
1 files changed, 40 insertions, 0 deletions
diff --git a/Lib/test/test_subprocess.py b/Lib/test/test_subprocess.py
index 03a06e0..804c8f4 100644
--- a/Lib/test/test_subprocess.py
+++ b/Lib/test/test_subprocess.py
@@ -634,6 +634,46 @@ class ProcessTestCase(BaseTestCase):
                  # environment
                  b"['__CF_USER_TEXT_ENCODING']"))
 
+    def test_invalid_cmd(self):
+        # null character in the command name
+        cmd = sys.executable + '\0'
+        with self.assertRaises(ValueError):
+            subprocess.Popen([cmd, "-c", "pass"])
+
+        # null character in the command argument
+        with self.assertRaises(ValueError):
+            subprocess.Popen([sys.executable, "-c", "pass#\0"])
+
+    def test_invalid_env(self):
+        # null character in the enviroment variable name
+        newenv = os.environ.copy()
+        newenv["FRUIT\0VEGETABLE"] = "cabbage"
+        with self.assertRaises(ValueError):
+            subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
+
+        # null character in the enviroment variable value
+        newenv = os.environ.copy()
+        newenv["FRUIT"] = "orange\0VEGETABLE=cabbage"
+        with self.assertRaises(ValueError):
+            subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
+
+        # equal character in the enviroment variable name
+        newenv = os.environ.copy()
+        newenv["FRUIT=ORANGE"] = "lemon"
+        with self.assertRaises(ValueError):
+            subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
+
+        # equal character in the enviroment variable value
+        newenv = os.environ.copy()
+        newenv["FRUIT"] = "orange=lemon"
+        with subprocess.Popen([sys.executable, "-c",
+                               'import sys, os;'
+                               'sys.stdout.write(os.getenv("FRUIT"))'],
+                              stdout=subprocess.PIPE,
+                              env=newenv) as p:
+            stdout, stderr = p.communicate()
+            self.assertEqual(stdout, b"orange=lemon")
+
     def test_communicate_stdin(self):
         p = subprocess.Popen([sys.executable, "-c",
                               'import sys;'
author	Serhiy Storchaka <storchaka@gmail.com>	2017-06-23 17:27:02 (GMT)
committer	GitHub <noreply@github.com>	2017-06-23 17:27:02 (GMT)
commit	a7c0264735f46afab13771be4218d8eab0d7dc91 (patch)
tree	3410a5a14d3019ab4b8dfb18455bf68088df1d85 /Lib/test/test_subprocess.py
parent	f42ce179c8aaa7e211ac4123c58fa3dd9a452004 (diff)
download	cpython-a7c0264735f46afab13771be4218d8eab0d7dc91.zip cpython-a7c0264735f46afab13771be4218d8eab0d7dc91.tar.gz cpython-a7c0264735f46afab13771be4218d8eab0d7dc91.tar.bz2