[New-bugs-announce] [issue34489] subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape
Sergey G. Brester
report at bugs.python.org
Fri Aug 24 15:44:10 EDT 2018
New submission from Sergey G. Brester <serg.brester at sebres.de>:
There is a vulnerability "insufficient escape of special chars for quoting of arguments by exec process" for python-language, if executing windows batch-files (bat/cmd).
### What version of python is affected?
### Does this issue reproduce with the latest master?
### What did you do?
Execution of batch-file using `subprocess` module with arguments containing some special meta-characters.
A recipe for reproducing the error as well as more extensive PoC with additional info (and more lang's affected also):
A complete runnable program:
#### A simple example:
# invoke exe-file:
>>> import subprocess
>>> subprocess.call(['test-dump.exe', 'test&whoami'])
+ `test-dump.exe´ `test&whoami´
# invoke cmd-file:
>>> subprocess.call(['test-dump.CMD', 'test&whoami'])
- `test-dump.exe´ `test´my_domain\sebres
For more "broken" cases, see the result of my test-suite:
### What did you expect to see?
Arguments are escaped/quoted properly.
### What did you see instead?
Arguments are insufficient escaped/quoted, so it is vulnerable currently.
For possible solution see the github-PR#8906:
For algorithm description:
resp. how it was fixed in TCL (C-code):
- https://core.tcl-lang.org/tcl/vdiff?from=core-8-5-branch&to=0-day-21b0629c81 (see the function `BuildCommandLine`)
### Possible similar issues:
components: Library (Lib), Windows
nosy: paul.moore, sebres, steve.dower, tim.golden, zach.ware
title: subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce