[2.7] bpo-30746: Prohibited the '=' character in environment variable names (GH-2382) (#2393)

in `os.putenv()` and `os.spawn*()`..
(cherry picked from commit 77703942c5997dff00c48f10df1b29b11645624c)

1 files changed, 19 insertions, 0 deletions

diff --git a/Modules/posixmodule.c b/Modules/posixmodule.c
index ffeb715..a06c56e 100644
--- a/Modules/posixmodule.c
+++ b/Modules/posixmodule.c
@@ -3556,6 +3556,12 @@ posix_spawnve(PyObject *self, PyObject *args)
         {
             goto fail_2;
         }
+        /* Search from index 1 because on Windows starting '=' is allowed for
+           defining hidden environment variables. */
+        if (*k == '\0' || strchr(k + 1, '=') != NULL) {
+            PyErr_SetString(PyExc_ValueError, "illegal environment variable name");
+            goto fail_2;
+        }
         len = PyString_Size(key) + PyString_Size(val) + 2;
         p = PyMem_NEW(char, len);
         if (p == NULL) {
@@ -3789,6 +3795,12 @@ posix_spawnvpe(PyObject *self, PyObject *args)
         {
             goto fail_2;
         }
+        /* Search from index 1 because on Windows starting '=' is allowed for
+           defining hidden environment variables. */
+        if (*k == '\0' || strchr(k + 1, '=') != NULL) {
+            PyErr_SetString(PyExc_ValueError, "illegal environment variable name");
+            goto fail_2;
+        }
         len = PyString_Size(key) + PyString_Size(val) + 2;
         p = PyMem_NEW(char, len);
         if (p == NULL) {
@@ -7185,6 +7197,13 @@ posix_putenv(PyObject *self, PyObject *args)
     } else {
 #endif
 
+    /* Search from index 1 because on Windows starting '=' is allowed for
+       defining hidden environment variables. */
+    if (*s1 == '\0' || strchr(s1 + 1, '=') != NULL) {
+        PyErr_SetString(PyExc_ValueError, "illegal environment variable name");
+        return NULL;
+    }
+
     /* XXX This can leak memory -- not easy to fix :-( */
     len = strlen(s1) + strlen(s2) + 2;
 #ifdef MS_WINDOWS