X Tutup

gh-114539: Clarify implicit launching of shells by subprocess#117996

Merged

zooba merged 2 commits intopython:mainfrom

zooba:gh-114539

Apr 17, 2024

Member

zooba commented Apr 17, 2024 •

edited by github-actions bot

Loading

This is the same issue as recently disclosed by Rust (CVE-2024-24576), but as it is intentional operating system behaviour, we consider it to not be a Python vulnerability. If an attacker can influence the executable argument and other arguments, no reasonable validation can detect this case (without actually launching the executable and seeing what happens), and the app is exploitable already.

Rust was already detecting whether the executable was a batch file and changing their behaviour, which is why they chose to apply a fix. Python does no such detection, but relies exclusively on the shell argument.

Issue: [doc] subprocess security considerations needs a Windows-specific exception #114539

📚 Documentation preview 📚: https://cpython-previews--117996.org.readthedocs.build/


          pythongh-114539: Clarify implicit lauching of shells in subprocess

ae08dd8

zooba added docs type-security needs backport to 3.8 needs backport to 3.10 needs backport to 3.11 needs backport to 3.12 labels

bedevere-app bot mentioned this pull request

[doc] subprocess security considerations needs a Windows-specific exception #114539

Closed

bedevere-app bot added skip news awaiting core review labels


          Adds GH reference

ab79e76

sethmlarson approved these changes

View reviewed changes

Contributor

sethmlarson left a comment

Thanks Steve! LGTM

gpshead approved these changes

View reviewed changes

bedevere-app bot added awaiting merge and removed awaiting core review labels

zooba merged commit a4b44d3 into python:main

miss-islington-app bot commented Apr 17, 2024

Thanks @zooba for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8, 3.9, 3.10, 3.11, 3.12.
🐍🍒⛏🤖

bedevere-app bot removed the awaiting merge label

zooba deleted the gh-114539 branch

April 17, 2024 18:32

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request


          pythongh-114539: Clarify implicit launching of shells by subprocess (p…

b7f8c77

…ythonGH-117996)

(cherry picked from commit a4b44d3)

Co-authored-by: Steve Dower <steve.dower@python.org>

bedevere-app bot commented Apr 17, 2024

GH-118002 is a backport of this pull request to the 3.12 branch.

bedevere-app bot removed the needs backport to 3.12 label

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request


          pythongh-114539: Clarify implicit launching of shells by subprocess (p…

085ad6a

…ythonGH-117996)

(cherry picked from commit a4b44d3)

Co-authored-by: Steve Dower <steve.dower@python.org>

bedevere-app bot commented Apr 17, 2024

GH-118003 is a backport of this pull request to the 3.11 branch.

bedevere-app bot removed the needs backport to 3.11 label

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request


          pythongh-114539: Clarify implicit launching of shells by subprocess (p…

f03a28f

…ythonGH-117996)

(cherry picked from commit a4b44d3)

Co-authored-by: Steve Dower <steve.dower@python.org>

bedevere-app bot commented Apr 17, 2024

GH-118004 is a backport of this pull request to the 3.10 branch.

bedevere-app bot removed the needs backport to 3.10 label

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request


          pythongh-114539: Clarify implicit launching of shells by subprocess (p…

3fc8a8b

…ythonGH-117996)

(cherry picked from commit a4b44d3)

Co-authored-by: Steve Dower <steve.dower@python.org>

bedevere-app bot commented Apr 17, 2024

GH-118005 is a backport of this pull request to the 3.9 branch.

bedevere-app bot removed the needs backport to 3.9 label

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request


          pythongh-114539: Clarify implicit launching of shells by subprocess (p…

89632e6

…ythonGH-117996)

(cherry picked from commit a4b44d3)

Co-authored-by: Steve Dower <steve.dower@python.org>

bedevere-app bot commented Apr 17, 2024

GH-118006 is a backport of this pull request to the 3.8 branch.

bedevere-app bot removed the needs backport to 3.8 label

zooba added a commit that referenced this pull request


          [3.12] gh-114539: Clarify implicit launching of shells by subprocess (G…

859fdee

…H-117996) (#118002)

gh-114539: Clarify implicit launching of shells by subprocess (GH-117996)
(cherry picked from commit a4b44d3)

Co-authored-by: Steve Dower <steve.dower@python.org>

ambv pushed a commit that referenced this pull request


          [3.10] gh-114539: Clarify implicit launching of shells by subprocess (G…

9b33629

…H-117996) (GH-118004)

(cherry picked from commit a4b44d3)

Co-authored-by: Steve Dower <steve.dower@python.org>

ambv pushed a commit that referenced this pull request


          [3.9] gh-114539: Clarify implicit launching of shells by subprocess (G…

22ae383

…H-117996) (GH-118005)

(cherry picked from commit a4b44d3)

Co-authored-by: Steve Dower <steve.dower@python.org>

ambv pushed a commit that referenced this pull request


          [3.8] gh-114539: Clarify implicit launching of shells by subprocess (G…

14ac620

…H-117996) (GH-118006)

(cherry picked from commit a4b44d3)

Co-authored-by: Steve Dower <steve.dower@python.org>

hugovk pushed a commit that referenced this pull request


          [3.11] gh-114539: Clarify implicit launching of shells by subprocess (G…

b396360

…H-117996) (#118003)

Co-authored-by: Steve Dower <steve.dower@python.org>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docs skip news type-security

X Tutup