X Tutup
Skip to content

gh-124651: Quote template strings in venv activation scripts#124712

Merged
vsajip merged 1 commit intopython:mainfrom
y5c4l3:venv-quote
Oct 21, 2024
Merged

gh-124651: Quote template strings in venv activation scripts#124712
vsajip merged 1 commit intopython:mainfrom
y5c4l3:venv-quote

Conversation

@y5c4l3
Copy link
Contributor

@y5c4l3 y5c4l3 commented Sep 27, 2024
edited by bedevere-app bot
Loading

This patch properly quotes template strings in venv activation scripts. This mitigates potential command injection.

@y5c4l3 y5c4l3 requested a review from vsajip as a code owner September 27, 2024 21:15
@bedevere-app bedevere-app bot mentioned this pull request Sep 27, 2024
Closed
@vsajip vsajip added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Sep 30, 2024
@bedevere-bot
Copy link

bedevere-bot commented Sep 30, 2024

🤖 New build scheduled with the buildbot fleet by @vsajip for commit 3034419 🤖

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Sep 30, 2024
@y5c4l3
Quote template strings in venv activation scripts
b6a3bbd 
This patch properly quotes template strings in `venv` activation
scripts. This mitigates potential command injection.

Signed-off-by: y5c4l3 <y5c4l3@proton.me>
@y5c4l3
Copy link
Contributor Author

y5c4l3 commented Oct 1, 2024
edited
Loading

buildbot/AMD64 FreeBSD failed because bash was not found. I will add a test for tcsh / csh and skip the original test if bash is not present.

======================================================================
ERROR: test_special_chars (test.test_venv.BasicTest.test_special_chars)
Test that the template strings are quoted properly
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/buildbot/buildarea/pull_request.ware-freebsd/build/Lib/test/test_venv.py", line 515, in test_special_chars
    out, err = check_output([bash, test_script])
               ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^
  File "/buildbot/buildarea/pull_request.ware-freebsd/build/Lib/test/test_venv.py", line 50, in check_output
    p = subprocess.Popen(cmd,
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
        env={**os.environ, "PYTHONHOME": ""})
  File "/buildbot/buildarea/pull_request.ware-freebsd/build/Lib/subprocess.py", line 1035, in __init__
    self._execute_child(args, executable, preexec_fn, close_fds,
    ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                        pass_fds, cwd, env,
                        ^^^^^^^^^^^^^^^^^^^
    ...<5 lines>...
                        gid, gids, uid, umask,
                        ^^^^^^^^^^^^^^^^^^^^^^
                        start_new_session, process_group)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/buildbot/buildarea/pull_request.ware-freebsd/build/Lib/subprocess.py", line 1885, in _execute_child
    executable = os.fsencode(executable)
  File "/buildbot/buildarea/pull_request.ware-freebsd/build/Lib/os.py", line 852, in fsencode
    filename = fspath(filename)  # Does type-checking of `filename`.
TypeError: expected str, bytes or os.PathLike object, not NoneType

----------------------------------------------------------------------
Ran 36 tests in 7.578s

@vsajip vsajip added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Oct 9, 2024
@bedevere-bot
Copy link

bedevere-bot commented Oct 9, 2024

🤖 New build scheduled with the buildbot fleet by @vsajip for commit b6a3bbd 🤖

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Oct 9, 2024
@y5c4l3
Copy link
Contributor Author

y5c4l3 commented Oct 10, 2024

@vsajip Some tests were still failing but none of them is related to this PR I guess.

@y5c4l3
Copy link
Contributor Author

y5c4l3 commented Oct 21, 2024

@vsajip Summary of the failing tests are posted here. Since they all appeared repeatedly before or after this build, I think this PR is good to go... no?

AMD64 Arch Linux TraceRefs PR/1443

FAIL: test_audit_subinterpreter (test.test_embed.AuditingTests.test_audit_subinterpreter)

iOS ARM64 Simulator PR/136

FAIL: test_alt_digits_nl_langinfo (test.test__locale._LocaleTests.test_alt_digits_nl_langinfo) (locale='ja_JP')

x86 Debian Installed with X PR/27
x86 Debian Non-Debug with X PR/27

make: *** [Makefile:1534: Modules/_hacl/Hacl_Hash_Blake2s_Simd128.o] Error 1
make: *** Waiting for unfinished jobs....

@vsajip vsajip merged commit d48cc82 into python:main Oct 21, 2024
@vsajip vsajip added needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Oct 21, 2024
@miss-islington-app
Copy link

miss-islington-app bot commented Oct 21, 2024

Thanks @y5c4l3 for the PR, and @vsajip for merging it 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖

@miss-islington-app
Copy link

miss-islington-app bot commented Oct 21, 2024

Thanks @y5c4l3 for the PR, and @vsajip for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

@miss-islington-app
Copy link

miss-islington-app bot commented Oct 21, 2024

Sorry, @y5c4l3 and @vsajip, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker d48cc82ed25e26b02eb97c6263d95dcaa1e9111b 3.12

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 21, 2024
@y5c4l3 @miss-islington
pythongh-124651: Quote template strings in venv activation scripts (p…
6fdc7dd 
…ythonGH-124712)

This patch properly quotes template strings in `venv` activation
scripts. This mitigates potential command injection.
(cherry picked from commit d48cc82)

Co-authored-by: Y5 <124019959+y5c4l3@users.noreply.github.com>
@bedevere-app
Copy link

bedevere-app bot commented Oct 21, 2024

GH-125813 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Oct 21, 2024
vsajip pushed a commit that referenced this pull request Oct 22, 2024
@miss-islington
[3.13] gh-124651: Quote template strings in venv activation scripts (
e52095a 
…GH-124712) (GH-125813)

(cherry picked from commit d48cc82)
ajayk pushed a commit to ajayk/cpython that referenced this pull request Oct 24, 2024
@y5c4l3 @ajayk
pythongh-124651: Quote template strings in venv activation scripts (p…
4072b98 
…ythonGH-124712)

This patch properly quotes template strings in `venv` activation
scripts. This mitigates potential command injection.

(cherry picked from commit d48cc82)
vstinner pushed a commit to vstinner/cpython that referenced this pull request Oct 30, 2024
@y5c4l3 @vstinner
pythongh-124651: Quote template strings in venv activation scripts (p…
1408cc9 
…ythonGH-124712)

This patch properly quotes template strings in `venv` activation
scripts. This mitigates potential command injection.

(cherry picked from commit d48cc82)
@bedevere-app
Copy link

bedevere-app bot commented Oct 30, 2024

GH-126185 is a backport of this pull request to the 3.12 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.12 only security fixes label Oct 30, 2024
vsajip pushed a commit that referenced this pull request Oct 31, 2024
@vstinner
[3.12] gh-124651: Quote template strings in venv activation scripts (
8450b24 
…GH-124712) (GH-126185)

(cherry picked from commit d48cc82)
@bedevere-app

This comment was marked as off-topic.

Sign in to view
1 similar comment
@bedevere-app

This comment was marked as outdated.

Sign in to view
pablogsal pushed a commit that referenced this pull request Nov 1, 2024
@vstinner
[3.11] gh-124651: Quote template strings in venv activation scripts (
ae961ae 
…GH-124712) (GH-126185) (#126269)
ambv pushed a commit that referenced this pull request Nov 4, 2024
@vstinner
[3.10] gh-124651: Quote template strings in venv activation scripts (
9286ab3 
…GH-124712) (GH-126185) (GH-126269) (GH-126300)

(cherry picked from commit ae961ae)
ambv pushed a commit that referenced this pull request Nov 4, 2024
@vstinner
[3.9] gh-124651: Quote template strings in venv activation scripts (G…
6335557 
…H-124712) (GH-126185) (GH-126269) (GH-126301)

(cherry picked from commit ae961ae)
Redent0r added a commit to Redent0r/CBL-Mariner that referenced this pull request Nov 6, 2024
@Redent0r
python3: patch CVE-2024-9287
14fc52f 
Taken from python/cpython#126185 which is a 3.12 backport of
python/cpython#124712

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
@Redent0r Redent0r mentioned this pull request Nov 6, 2024
Closed
12 tasks
Redent0r added a commit to Redent0r/CBL-Mariner that referenced this pull request Nov 6, 2024
@Redent0r
python3: patch CVE-2024-9287
796d7cc 
Taken from python/cpython#126185 which is a 3.12 backport of
python/cpython#124712

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Redent0r added a commit to Redent0r/CBL-Mariner that referenced this pull request Nov 7, 2024
@Redent0r
python3: patch CVE-2024-9287
f1f5295 
Taken from python/cpython#126185 which is a 3.12 backport of
python/cpython#124712

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Redent0r added a commit to Redent0r/CBL-Mariner that referenced this pull request Nov 7, 2024
@Redent0r
python3: patch CVE-2024-9287
71588af 
Taken from python/cpython#126185 which is a 3.12 backport of
python/cpython#124712

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Redent0r added a commit to Redent0r/CBL-Mariner that referenced this pull request Nov 7, 2024
@Redent0r
python3: patch CVE-2024-9287
d695dd3 
Taken from python/cpython#126185 which is a 3.12 backport of
python/cpython#124712

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Redent0r added a commit to Redent0r/CBL-Mariner that referenced this pull request Nov 26, 2024
@Redent0r
python3: patch CVE-2024-9287
a09d45d 
Taken from python/cpython#126185 which is a 3.12 backport of
python/cpython#124712

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
@mcepl
Copy link
Contributor

mcepl commented Dec 2, 2024

My backport of fix for Python 3.6 is at openSUSE-Python@4f2496b.

Redent0r added a commit to Redent0r/CBL-Mariner that referenced this pull request Dec 18, 2024
@Redent0r
python3: patch CVE-2024-9287
e30a76b 
Taken from python/cpython#126185 which is a 3.12 backport of
python/cpython#124712

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Redent0r added a commit to Redent0r/CBL-Mariner that referenced this pull request Dec 18, 2024
@Redent0r
python3: patch CVE-2024-9287
db00eb6 
Taken from python/cpython#126185 which is a 3.12 backport of
python/cpython#124712

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
ebonnal pushed a commit to ebonnal/cpython that referenced this pull request Jan 12, 2025
@y5c4l3 @ebonnal
pythongh-124651: Quote template strings in venv activation scripts (p…
4dc9a21 
…ythonGH-124712)

This patch properly quotes template strings in `venv` activation
scripts. This mitigates potential command injection.
rickprice pushed a commit to ActiveState/cpython that referenced this pull request Mar 6, 2025
@vstinner @rickprice
CVE-2024-9287 [3.9] pythongh-124651: Quote template strings in venv
517140a 
… activation scripts (pythonGH-124712) (pythonGH-126185) (pythonGH-126269) (pythonGH-126301)

(cherry picked from commit ae961ae)
rickprice pushed a commit to ActiveState/cpython that referenced this pull request Mar 6, 2025
@vstinner @rickprice
CVE-2024-9287 [3.9] pythongh-124651: Quote template strings in venv
b4c60cf 
… activation scripts (pythonGH-124712) (pythonGH-126185) (pythonGH-126269) (pythonGH-126301)

(cherry picked from commit ae961ae)
@rickprice rickprice mentioned this pull request Mar 7, 2025
Merged
rickprice pushed a commit to ActiveState/cpython that referenced this pull request Mar 7, 2025
@vstinner @rickprice
CVE-2024-9287 [3.9] pythongh-124651: Quote template strings in venv
9b114d5 
… activation scripts (pythonGH-124712) (pythonGH-126185) (pythonGH-126269) (pythonGH-126301)

(cherry picked from commit ae961ae)
@rickprice rickprice mentioned this pull request Mar 7, 2025
Merged
gentoo-bot pushed a commit to gentoo/cpython that referenced this pull request Apr 9, 2025
@vstinner @mgorny
[3.9] pythongh-124651: Quote template strings in venv activation sc…
5b9bdc1 
…ripts (pythonGH-124712) (pythonGH-126185) (pythonGH-126269) (pythonGH-126301)

(cherry picked from commit ae961ae)
@sajjaphani sajjaphani mentioned this pull request May 19, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vsajip vsajip vsajip approved these changes

Assignees

@vsajip vsajip

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@y5c4l3 @bedevere-bot @mcepl @vsajip
X Tutup