[3.6] bpo-30730: Prevent environment variables injection in subprocess on Windows. (GH-2325) (#2360)

Prevent passing other invalid environment variables and command arguments.. (cherry picked from commit d174d24a5d)
2025-10-04 22:20:46 +00:00 · 2017-06-23 20:17:38 +03:00 · 2017-06-23 20:17:38 +03:00 · e7135751b8
commit e7135751b8
parent 1b7474dedc
5 changed files with 72 additions and 9 deletions
--- a/Modules/_winapi.c
+++ b/Modules/_winapi.c
@ -744,6 +744,20 @@ getenvironment(PyObject* environment)
                "environment can only contain strings");
            goto error;
        }
+        if (PyUnicode_FindChar(key, '\0', 0, PyUnicode_GET_LENGTH(key), 1) != -1 ||
+            PyUnicode_FindChar(value, '\0', 0, PyUnicode_GET_LENGTH(value), 1) != -1)
+        {
+            PyErr_SetString(PyExc_ValueError, "embedded null character");
+            goto error;
+        }
+        /* Search from index 1 because on Windows starting '=' is allowed for
+           defining hidden environment variables. */
+        if (PyUnicode_GET_LENGTH(key) == 0 ||
+            PyUnicode_FindChar(key, '=', 1, PyUnicode_GET_LENGTH(key), 1) != -1)
+        {
+            PyErr_SetString(PyExc_ValueError, "illegal environment variable name");
+            goto error;
+        }
        if (totalsize > PY_SSIZE_T_MAX - PyUnicode_GET_LENGTH(key) - 1) {
            PyErr_SetString(PyExc_OverflowError, "environment too long");
            goto error;
@ -830,7 +844,8 @@ _winapi_CreateProcess_impl(PyObject *module, Py_UNICODE *application_name,
    PROCESS_INFORMATION pi;
    STARTUPINFOW si;
    PyObject* environment;
-    wchar_t *wenvironment;
+    const wchar_t *wenvironment;
+    Py_ssize_t wenvironment_size;

    ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);
@ -846,12 +861,13 @@ _winapi_CreateProcess_impl(PyObject *module, Py_UNICODE *application_name,

    if (env_mapping != Py_None) {
        environment = getenvironment(env_mapping);
-        if (! environment)
+        if (environment == NULL) {
            return NULL;
+        }
+        /* contains embedded null characters */
        wenvironment = PyUnicode_AsUnicode(environment);
-        if (wenvironment == NULL)
-        {
-            Py_XDECREF(environment);
+        if (wenvironment == NULL) {
+            Py_DECREF(environment);
            return NULL;
        }
    }