Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.7k
Closed
Description
Bug report
Bug description:
Crafted paths break the script templates:
envname='";uname -a;"'mkdir "$envname"cd "$envname"python3 -m venv .. ./bin/activate
Linux archlinux 6.10.6-arch1-1 #1 SMP PREEMPT_DYNAMIC Mon, 19 Aug 2024 17:02:39 +0000 x86_64 GNU/LinuxLikepypa/virtualenv#2768 the execution path itself is low-risk, but it enables many potential downstream attack vectors. Downstream projects that automatically initialize and activatevenv at a controllable path (e.g. read from repo configuration file) could execute unexpected commands.
CPython versions tested on:
3.8, 3.9, 3.10, 3.11, 3.12, 3.13, CPython main branch
Operating systems tested on:
Linux
Linked PRs
- gh-124651: Quote template strings in
venvactivation scripts #124712 - [3.13] gh-124651: Quote template strings in
venvactivation scripts (GH-124712) #125813 - [3.12] gh-124651: Quote template strings in
venvactivation scripts (GH-124712) #125947 - [3.12] gh-124651: Quote template strings in
venvactivation scripts (GH-124712) #126185 - [3.11] gh-124651: Quote template strings in
venvactivation scripts (GH-124712) (GH-126185) #126269 - [3.10] gh-124651: Quote template strings in
venvactivation scripts (GH-124712) (GH-126185) (#126269) #126300 - [3.9] gh-124651: Quote template strings in
venvactivation scripts (GH-124712) (GH-126185) (#126269) #126301