mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-10-06 23:21:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286)

Browse source
This commit is contained in:
Oleg Iarygin 2023-02-09 02:12:19 +04:00 committed by GitHub
parent de3669ebcb
commit 23751ed826
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 58 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

40
Doc/library/subprocess.rst
View file

@ -111,6 +111,14 @@ underlying :class:`Popen` interface can be used directly.
Added the *text* parameter, as a more understandable alias of *universal_newlines*. Added the *text* parameter, as a more understandable alias of *universal_newlines*.
Added the *capture_output* parameter. Added the *capture_output* parameter.
.. versionchanged:: 3.11.2
Changed Windows shell search order for ``shell=True``. The current
directory and ``%PATH%`` are replaced with ``%COMSPEC%`` and
``%SystemRoot%\System32\cmd.exe``. As a result, dropping a
malicious program named ``cmd.exe`` into a current directory no
longer works.
.. class:: CompletedProcess .. class:: CompletedProcess
The return value from :func:`run`, representing a process that has finished. The return value from :func:`run`, representing a process that has finished.
@ -487,6 +495,14 @@ functions.
*executable* parameter accepts a bytes and :term:`path-like object` *executable* parameter accepts a bytes and :term:`path-like object`
on Windows. on Windows.
.. versionchanged:: 3.11.2
Changed Windows shell search order for ``shell=True``. The current
directory and ``%PATH%`` are replaced with ``%COMSPEC%`` and
``%SystemRoot%\System32\cmd.exe``. As a result, dropping a
malicious program named ``cmd.exe`` into a current directory no
longer works.
*stdin*, *stdout* and *stderr* specify the executed program's standard input, *stdin*, *stdout* and *stderr* specify the executed program's standard input,
standard output and standard error file handles, respectively. Valid values standard output and standard error file handles, respectively. Valid values
are ``None``, :data:`PIPE`, :data:`DEVNULL`, an existing file descriptor (a are ``None``, :data:`PIPE`, :data:`DEVNULL`, an existing file descriptor (a
@ -1158,6 +1174,14 @@ calls these functions.
.. versionchanged:: 3.3 .. versionchanged:: 3.3
*timeout* was added. *timeout* was added.
.. versionchanged:: 3.11.2
Changed Windows shell search order for ``shell=True``. The current
directory and ``%PATH%`` are replaced with ``%COMSPEC%`` and
``%SystemRoot%\System32\cmd.exe``. As a result, dropping a
malicious program named ``cmd.exe`` into a current directory no
longer works.
.. function:: check_call(args, *, stdin=None, stdout=None, stderr=None, \ .. function:: check_call(args, *, stdin=None, stdout=None, stderr=None, \
shell=False, cwd=None, timeout=None, \ shell=False, cwd=None, timeout=None, \
**other_popen_kwargs) **other_popen_kwargs)
@ -1190,6 +1214,14 @@ calls these functions.
.. versionchanged:: 3.3 .. versionchanged:: 3.3
*timeout* was added. *timeout* was added.
.. versionchanged:: 3.11.2
Changed Windows shell search order for ``shell=True``. The current
directory and ``%PATH%`` are replaced with ``%COMSPEC%`` and
``%SystemRoot%\System32\cmd.exe``. As a result, dropping a
malicious program named ``cmd.exe`` into a current directory no
longer works.
.. function:: check_output(args, *, stdin=None, stderr=None, shell=False, \ .. function:: check_output(args, *, stdin=None, stderr=None, shell=False, \
cwd=None, encoding=None, errors=None, \ cwd=None, encoding=None, errors=None, \
@ -1245,6 +1277,14 @@ calls these functions.
.. versionadded:: 3.7 .. versionadded:: 3.7
*text* was added as a more readable alias for *universal_newlines*. *text* was added as a more readable alias for *universal_newlines*.
.. versionchanged:: 3.11.2
Changed Windows shell search order for ``shell=True``. The current
directory and ``%PATH%`` are replaced with ``%COMSPEC%`` and
``%SystemRoot%\System32\cmd.exe``. As a result, dropping a
malicious program named ``cmd.exe`` into a current directory no
longer works.
.. _subprocess-replacements: .. _subprocess-replacements:

16
Lib/subprocess.py
View file

@ -1480,7 +1480,21 @@ class Popen:
if shell: if shell:
startupinfo.dwFlags |= _winapi.STARTF_USESHOWWINDOW startupinfo.dwFlags |= _winapi.STARTF_USESHOWWINDOW
startupinfo.wShowWindow = _winapi.SW_HIDE startupinfo.wShowWindow = _winapi.SW_HIDE
comspec = os.environ.get("COMSPEC", "cmd.exe") if not executable:
# gh-101283: without a fully-qualified path, before Windows
# checks the system directories, it first looks in the
# application directory, and also the current directory if
# NeedCurrentDirectoryForExePathW(ExeName) is true, so try
# to avoid executing unqualified "cmd.exe".
comspec = os.environ.get('ComSpec')
if not comspec:
system_root = os.environ.get('SystemRoot', '')
comspec = os.path.join(system_root, 'System32', 'cmd.exe')
if not os.path.isabs(comspec):
raise FileNotFoundError('shell not found: neither %ComSpec% nor %SystemRoot% is set')
if os.path.isabs(comspec):
executable = comspec
args = '{} /c "{}"'.format (comspec, args) args = '{} /c "{}"'.format (comspec, args)
if cwd is not None: if cwd is not None:

3
Misc/NEWS.d/next/Security/2023-01-24-16-12-00.gh-issue-101283.9tqu39.rst Normal file
View file

@ -0,0 +1,3 @@
:class:`subprocess.Popen` now uses a safer approach to find
``cmd.exe`` when launching with ``shell=True``. Patch by Eryk Sun,
based on a patch by Oleg Iarygin.