[3.6] bpo-30730: Prevent environment variables injection in subprocess on Windows. (GH-2325) (#2360)

Prevent passing other invalid environment variables and command arguments.. (cherry picked from commit d174d24a5d37d1516b885dc7c82f71ecd5930700)
author: Serhiy Storchaka <storchaka@gmail.com> 2017-06-23 17:17:38 (GMT)
committer: GitHub <noreply@github.com> 2017-06-23 17:17:38 (GMT)
commit: e7135751b8e48af80665e40ac8fa6d0073e5affe (patch)
tree: 3ab00867f840f76a6669fb492fb5833f4253a57d /Misc/NEWS
parent: 1b7474dedcbbd731a362b17abfbd7e5a60b64f63 (diff)
download: cpython-e7135751b8e48af80665e40ac8fa6d0073e5affe.zip
cpython-e7135751b8e48af80665e40ac8fa6d0073e5affe.tar.gz
cpython-e7135751b8e48af80665e40ac8fa6d0073e5affe.tar.bz2
1 files changed, 3 insertions, 0 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index 70a531c..94a29d0 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
 Library
 -------
 
+- [Security] bpo-30730: Prevent environment variables injection in subprocess on
+  Windows.  Prevent passing other environment variables and command arguments.
+
 - [Security] bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes
   of multiple security vulnerabilities including: CVE-2017-9233 (External
   entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix),
author	Serhiy Storchaka <storchaka@gmail.com>	2017-06-23 17:17:38 (GMT)
committer	GitHub <noreply@github.com>	2017-06-23 17:17:38 (GMT)
commit	e7135751b8e48af80665e40ac8fa6d0073e5affe (patch)
tree	3ab00867f840f76a6669fb492fb5833f4253a57d /Misc/NEWS
parent	1b7474dedcbbd731a362b17abfbd7e5a60b64f63 (diff)
download	cpython-e7135751b8e48af80665e40ac8fa6d0073e5affe.zip cpython-e7135751b8e48af80665e40ac8fa6d0073e5affe.tar.gz cpython-e7135751b8e48af80665e40ac8fa6d0073e5affe.tar.bz2