[2.7] bpo-30730: Prevent environment variables injection in subprocess on Windows. (GH-2325) (#2372)

Prevent passing other invalid environment variables and command arguments..
(cherry picked from commit d174d24a5d37d1516b885dc7c82f71ecd5930700)

1 files changed, 14 insertions, 2 deletions

diff --git a/PC/_subprocess.c b/PC/_subprocess.c
index ffe8f41..f73d14f 100644
--- a/PC/_subprocess.c
+++ b/PC/_subprocess.c
@@ -352,7 +352,7 @@ getenvironment(PyObject* environment)
     p = PyString_AS_STRING(out);
 
     for (i = 0; i < envsize; i++) {
-        int ksize, vsize, totalsize;
+        size_t ksize, vsize, totalsize;
         PyObject* key = PyList_GET_ITEM(keys, i);
         PyObject* value = PyList_GET_ITEM(values, i);
 
@@ -363,10 +363,22 @@ getenvironment(PyObject* environment)
         }
         ksize = PyString_GET_SIZE(key);
         vsize = PyString_GET_SIZE(value);
+        if (strlen(PyString_AS_STRING(key)) != ksize ||
+            strlen(PyString_AS_STRING(value)) != vsize)
+        {
+            PyErr_SetString(PyExc_TypeError, "embedded null character");
+            goto error;
+        }
+        /* Search from index 1 because on Windows starting '=' is allowed for
+           defining hidden environment variables. */
+        if (ksize == 0 || strchr(PyString_AS_STRING(key) + 1, '=') != NULL) {
+            PyErr_SetString(PyExc_ValueError, "illegal environment variable name");
+            goto error;
+        }
         totalsize = (p - PyString_AS_STRING(out)) + ksize + 1 +
                                                      vsize + 1 + 1;
         if (totalsize > PyString_GET_SIZE(out)) {
-            int offset = p - PyString_AS_STRING(out);
+            size_t offset = p - PyString_AS_STRING(out);
             if (_PyString_Resize(&out, totalsize + 1024))
                 goto exit;
             p = PyString_AS_STRING(out) + offset;