[3.6] bpo-30730: Prevent environment variables injection in subprocess on Windows. (GH-2325) (#2360)

Prevent passing other invalid environment variables and command arguments.. (cherry picked from commit d174d24a5d)
2025-10-06 23:21:06 +00:00 · 2017-06-23 20:17:38 +03:00 · 2017-06-23 20:17:38 +03:00 · e7135751b8
commit e7135751b8
parent 1b7474dedc
5 changed files with 72 additions and 9 deletions
--- a/Lib/subprocess.py
+++ b/Lib/subprocess.py
@ -1239,8 +1239,12 @@ class Popen(object):
                    # and pass it to fork_exec()

                    if env is not None:
-                        env_list = [os.fsencode(k) + b'=' + os.fsencode(v)
-                                    for k, v in env.items()]
+                        env_list = []
+                        for k, v in env.items():
+                            k = os.fsencode(k)
+                            if b'=' in k:
+                                raise ValueError("illegal environment variable name")
+                            env_list.append(k + b'=' + os.fsencode(v))
                    else:
                        env_list = None  # Use execv instead of execve.
                    executable = os.fsencode(executable)