Bug report - Undocumented risky behaviour in subprocess module

When usingsubprocess.Popen withshell=True on Windows and without aCOMSPEC environment variable, acmd.exe is launched. The problem is thecmd.exe full path is not written, Windows will search the executable in the current directory and in the PATH. If an arbitrary executable file is written to the current directory or to a directory in the PATH, it can be run instead of the real cmd.exe.

See the codehere and a POChere.

• This risky behaviour can be patched by replacingcmd.exe string byC:\WINDOWS\system32\cmd.exe.
• If the behavior was chosen by python developers, it should be documented.

Linked PRs

• gh-101283: Try to load the fallback cmd.exe by an absolute path #101286
• [3.10] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) #101708
• [3.9] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) #101709
• [3.8] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) #101710
• [3.11] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) #101711
• gh-101283: Fix use of unbound variable #101712
• [3.7] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) #101713
• gh-101283: Version was just released, so should be changed in 3.11.3 #101719
• [3.11] gh-101283: Version was just released, so should be changed in 3.11.3 (GH-101719) #101721
• gh-101283: Fix theversionchanged of gh-101283 (3.12 only) #101728