Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

gh-114539: Clarify implicit launching of shells by subprocess#117996

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
zooba merged 2 commits intopython:mainfromzooba:gh-114539
Apr 17, 2024

Conversation

zooba
Copy link
Member

@zoobazooba commentedApr 17, 2024
edited by github-actionsbot
Loading

This is the same issue as recently disclosed by Rust (CVE-2024-24576), but as it is intentional operating system behaviour, we consider it to not be a Python vulnerability. If an attacker can influence the executable argument and other arguments, no reasonable validation can detect this case (without actually launching the executable and seeing what happens), and the app is exploitable already.

Rust was already detecting whether the executable was a batch file and changing their behaviour, which is why they chose to apply a fix. Python does no such detection, but relies exclusively on theshell argument.

📚 Documentation preview 📚:https://cpython-previews--117996.org.readthedocs.build/

Copy link
Contributor

@sethmlarsonsethmlarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Thanks Steve! LGTM

@zoobazooba merged commita4b44d3 intopython:mainApr 17, 2024
27 checks passed
@miss-islington-app
Copy link

Thanks@zooba for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8, 3.9, 3.10, 3.11, 3.12.
🐍🍒⛏🤖

@zoobazooba deleted the gh-114539 branchApril 17, 2024 18:32
miss-islington pushed a commit to miss-islington/cpython that referenced this pull requestApr 17, 2024
…ythonGH-117996)(cherry picked from commita4b44d3)Co-authored-by: Steve Dower <steve.dower@python.org>
@bedevere-app
Copy link

GH-118002 is a backport of this pull request to the3.12 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.12only security fixes labelApr 17, 2024
miss-islington pushed a commit to miss-islington/cpython that referenced this pull requestApr 17, 2024
…ythonGH-117996)(cherry picked from commita4b44d3)Co-authored-by: Steve Dower <steve.dower@python.org>
@bedevere-app
Copy link

GH-118003 is a backport of this pull request to the3.11 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.11only security fixes labelApr 17, 2024
miss-islington pushed a commit to miss-islington/cpython that referenced this pull requestApr 17, 2024
…ythonGH-117996)(cherry picked from commita4b44d3)Co-authored-by: Steve Dower <steve.dower@python.org>
@bedevere-app
Copy link

GH-118004 is a backport of this pull request to the3.10 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.10only security fixes labelApr 17, 2024
miss-islington pushed a commit to miss-islington/cpython that referenced this pull requestApr 17, 2024
…ythonGH-117996)(cherry picked from commita4b44d3)Co-authored-by: Steve Dower <steve.dower@python.org>
@bedevere-app
Copy link

GH-118005 is a backport of this pull request to the3.9 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.9only security fixes labelApr 17, 2024
miss-islington pushed a commit to miss-islington/cpython that referenced this pull requestApr 17, 2024
…ythonGH-117996)(cherry picked from commita4b44d3)Co-authored-by: Steve Dower <steve.dower@python.org>
@bedevere-app
Copy link

GH-118006 is a backport of this pull request to the3.8 branch.

zooba added a commit that referenced this pull requestApr 17, 2024
…H-117996) (#118002)gh-114539: Clarify implicit launching of shells by subprocess (GH-117996)(cherry picked from commita4b44d3)Co-authored-by: Steve Dower <steve.dower@python.org>
ambv pushed a commit that referenced this pull requestMay 7, 2024
…H-117996) (GH-118004)(cherry picked from commita4b44d3)Co-authored-by: Steve Dower <steve.dower@python.org>
ambv pushed a commit that referenced this pull requestMay 7, 2024
…H-117996) (GH-118005)(cherry picked from commita4b44d3)Co-authored-by: Steve Dower <steve.dower@python.org>
ambv pushed a commit that referenced this pull requestMay 7, 2024
…H-117996) (GH-118006)(cherry picked from commita4b44d3)Co-authored-by: Steve Dower <steve.dower@python.org>
hugovk pushed a commit that referenced this pull requestAug 9, 2024
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@gpsheadgpsheadgpshead approved these changes

@sethmlarsonsethmlarsonsethmlarson approved these changes

Assignees
No one assigned
Labels
docsDocumentation in the Doc dirskip newstype-securityA security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

3 participants
@zooba@gpshead@sethmlarson
[8]ページ先頭
©2009-2025 Movatter.jp