[3.6] bpo-30730: Prevent environment variables injection in subprocess on Windows. (GH-2325) (#2360)

Prevent passing other invalid environment variables and command arguments..
(cherry picked from commit d174d24a5d)
(cherry picked from commit e7135751b8)
This commit is contained in:
Serhiy Storchaka 2017-06-23 20:17:38 +03:00 committed by Ned Deily
parent c794b643c9
commit a9b16cff35
5 changed files with 72 additions and 9 deletions

View File

@ -1239,8 +1239,12 @@ class Popen(object):
# and pass it to fork_exec() # and pass it to fork_exec()
if env is not None: if env is not None:
env_list = [os.fsencode(k) + b'=' + os.fsencode(v) env_list = []
for k, v in env.items()] for k, v in env.items():
k = os.fsencode(k)
if b'=' in k:
raise ValueError("illegal environment variable name")
env_list.append(k + b'=' + os.fsencode(v))
else: else:
env_list = None # Use execv instead of execve. env_list = None # Use execv instead of execve.
executable = os.fsencode(executable) executable = os.fsencode(executable)

View File

@ -644,6 +644,46 @@ class ProcessTestCase(BaseTestCase):
# environment # environment
b"['__CF_USER_TEXT_ENCODING']")) b"['__CF_USER_TEXT_ENCODING']"))
def test_invalid_cmd(self):
# null character in the command name
cmd = sys.executable + '\0'
with self.assertRaises(ValueError):
subprocess.Popen([cmd, "-c", "pass"])
# null character in the command argument
with self.assertRaises(ValueError):
subprocess.Popen([sys.executable, "-c", "pass#\0"])
def test_invalid_env(self):
# null character in the enviroment variable name
newenv = os.environ.copy()
newenv["FRUIT\0VEGETABLE"] = "cabbage"
with self.assertRaises(ValueError):
subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
# null character in the enviroment variable value
newenv = os.environ.copy()
newenv["FRUIT"] = "orange\0VEGETABLE=cabbage"
with self.assertRaises(ValueError):
subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
# equal character in the enviroment variable name
newenv = os.environ.copy()
newenv["FRUIT=ORANGE"] = "lemon"
with self.assertRaises(ValueError):
subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
# equal character in the enviroment variable value
newenv = os.environ.copy()
newenv["FRUIT"] = "orange=lemon"
with subprocess.Popen([sys.executable, "-c",
'import sys, os;'
'sys.stdout.write(os.getenv("FRUIT"))'],
stdout=subprocess.PIPE,
env=newenv) as p:
stdout, stderr = p.communicate()
self.assertEqual(stdout, b"orange=lemon")
def test_communicate_stdin(self): def test_communicate_stdin(self):
p = subprocess.Popen([sys.executable, "-c", p = subprocess.Popen([sys.executable, "-c",
'import sys;' 'import sys;'

View File

@ -13,6 +13,9 @@ Core and Builtins
Library Library
------- -------
- [Security] bpo-30730: Prevent environment variables injection in subprocess on
Windows. Prevent passing other environment variables and command arguments.
- [Security] bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes - [Security] bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes
of multiple security vulnerabilities including: CVE-2017-9233 (External of multiple security vulnerabilities including: CVE-2017-9233 (External
entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix), entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix),

View File

@ -744,6 +744,20 @@ getenvironment(PyObject* environment)
"environment can only contain strings"); "environment can only contain strings");
goto error; goto error;
} }
if (PyUnicode_FindChar(key, '\0', 0, PyUnicode_GET_LENGTH(key), 1) != -1 ||
PyUnicode_FindChar(value, '\0', 0, PyUnicode_GET_LENGTH(value), 1) != -1)
{
PyErr_SetString(PyExc_ValueError, "embedded null character");
goto error;
}
/* Search from index 1 because on Windows starting '=' is allowed for
defining hidden environment variables. */
if (PyUnicode_GET_LENGTH(key) == 0 ||
PyUnicode_FindChar(key, '=', 1, PyUnicode_GET_LENGTH(key), 1) != -1)
{
PyErr_SetString(PyExc_ValueError, "illegal environment variable name");
goto error;
}
if (totalsize > PY_SSIZE_T_MAX - PyUnicode_GET_LENGTH(key) - 1) { if (totalsize > PY_SSIZE_T_MAX - PyUnicode_GET_LENGTH(key) - 1) {
PyErr_SetString(PyExc_OverflowError, "environment too long"); PyErr_SetString(PyExc_OverflowError, "environment too long");
goto error; goto error;
@ -830,7 +844,8 @@ _winapi_CreateProcess_impl(PyObject *module, Py_UNICODE *application_name,
PROCESS_INFORMATION pi; PROCESS_INFORMATION pi;
STARTUPINFOW si; STARTUPINFOW si;
PyObject* environment; PyObject* environment;
wchar_t *wenvironment; const wchar_t *wenvironment;
Py_ssize_t wenvironment_size;
ZeroMemory(&si, sizeof(si)); ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si); si.cb = sizeof(si);
@ -846,12 +861,13 @@ _winapi_CreateProcess_impl(PyObject *module, Py_UNICODE *application_name,
if (env_mapping != Py_None) { if (env_mapping != Py_None) {
environment = getenvironment(env_mapping); environment = getenvironment(env_mapping);
if (! environment) if (environment == NULL) {
return NULL; return NULL;
}
/* contains embedded null characters */
wenvironment = PyUnicode_AsUnicode(environment); wenvironment = PyUnicode_AsUnicode(environment);
if (wenvironment == NULL) if (wenvironment == NULL) {
{ Py_DECREF(environment);
Py_XDECREF(environment);
return NULL; return NULL;
} }
} }

View File

@ -3193,8 +3193,8 @@ _PySequence_BytesToCharpArray(PyObject* self)
array[i] = NULL; array[i] = NULL;
goto fail; goto fail;
} }
data = PyBytes_AsString(item); /* check for embedded null bytes */
if (data == NULL) { if (PyBytes_AsStringAndSize(item, &data, NULL) < 0) {
/* NULL terminate before freeing. */ /* NULL terminate before freeing. */
array[i] = NULL; array[i] = NULL;
goto fail; goto fail;