gh-124651: Quote template strings in venv activation scripts (GH-124712)

This patch properly quotes template strings in `venv` activation scripts. This mitigates potential command injection.
2025-11-02 11:08:57 +00:00 · 2024-10-22 04:48:04 +08:00 · 2024-10-22 04:48:04 +08:00 · d48cc82ed2
commit d48cc82ed2
parent 44f841f01a
7 changed files with 135 additions and 21 deletions
--- a/Lib/venv/scripts/nt/activate.bat
+++ b/Lib/venv/scripts/nt/activate.bat
@ -8,7 +8,7 @@ if defined _OLD_CODEPAGE (
    "%SystemRoot%\System32\chcp.com" 65001 > nul
 )

-set VIRTUAL_ENV=__VENV_DIR__
+set "VIRTUAL_ENV=__VENV_DIR__"

 if not defined PROMPT set PROMPT=$P$G

@ -24,8 +24,8 @@ set PYTHONHOME=
 if defined _OLD_VIRTUAL_PATH set PATH=%_OLD_VIRTUAL_PATH%
 if not defined _OLD_VIRTUAL_PATH set _OLD_VIRTUAL_PATH=%PATH%

-set PATH=%VIRTUAL_ENV%\__VENV_BIN_NAME__;%PATH%
-set VIRTUAL_ENV_PROMPT=__VENV_PROMPT__
+set "PATH=%VIRTUAL_ENV%\__VENV_BIN_NAME__;%PATH%"
+set "VIRTUAL_ENV_PROMPT=__VENV_PROMPT__"

 :END
 if defined _OLD_CODEPAGE (