Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
[doc] subprocess security considerations needs a Windows-specific exception #114539
Comments
zooba
added
docs
|
Starting proposal:
|
|
Is the situation really as vague as 'may be' (unless forced by |
|
@zooba Thanks for opening the issue! Regarding the wording, using subprocess.run([".\\test.bat", "&calc.exe"], shell=True)The above snippet will spawn the following process, which still executes @terryjreedy It's always launched using |
If we assume that the file system can change at any time, then it's not deterministic, even for the same call. But assuming nobody modifies the file you are executing, it should always use the same mechanism. I do know more details about when/why it might vary, but we don't want to document them. There's also always the potential that Microsoft could change the behaviour and/or add an option to change the behaviour, and we don't want our docs to be invalidated by that. The main aim is to encourage users to pass
I know we've discussed this at various points over the years... it ought to be a long-standing bug if it's not working right now. But we might need to make sure we're correctly handling command characters (and compatibly across platforms). |
I guess I can add that the main issue is that a |
|
Yep. IIRC Windows and related software has had a notorious number of security bugs related to unfortunate magic file type detection based on contents rather than what the name, extension, or mime type says... We can't prevent a fundamental platform issue on the Python side. |
|
In defence of this case, by passing the path to But it's the fallback behaviour in this (and other) cases that cause problems. Which might also be why I'm instinctively against adding "abstract" behaviour to our concrete C APIs... 🤔 |
The documentation at https://docs.python.org/3/library/subprocess.html#security-considerations says that "this implementation will never implicitly call a system shell".
While this is technically true, on Windows the underlying CreateProcess API may create a system shell, which then exposes arguments to shell parsing. This happens when passed a
.bator.cmdfile.PSRT review of the issue determined that we can't safely detect and handle this situation without causing new issues and making it more complex for users to work around when they want to intentionally launch a batch file without shell processing. For the two cases of untrusted input, an untrusted application/
argv[0]is already vulnerable, and an untrusted argument/argv[1:]is safe providedargv[0]is controlled. However, we do need to inform developers of the inconsistency so they can check their own use.We'll use this issue to ensure we get good wording. First proposal in the next comment.
Thanks to RyotaK for reporting responsibly to the Python Security Response Team.
The text was updated successfully, but these errors were encountered: