René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Undocumented risky behaviour in subprocess module","articleBody":"# Bug report - Undocumented risky behaviour in subprocess module\r\n\r\nWhen using `subprocess.Popen` with `shell=True` on Windows and without a `COMSPEC` environment variable, a `cmd.exe` is launched. The problem is the `cmd.exe` full path is not written, Windows will search the executable in the current directory and in the PATH. If an arbitrary executable file is written to the current directory or to a directory in the PATH, it can be run instead of the real cmd.exe.\r\n\r\nSee the code [here](https://github.com/python/cpython/blob/38cc24f119346e2947e316478b58e58f0dde307c/Lib/subprocess.py#L1480) and a POC [here](https://github.com/mauricelambert/PythonSubprocessVulnerabilityPOC).\r\n\r\n - This risky behaviour can be patched by replacing `cmd.exe` string by `C:\\WINDOWS\\system32\\cmd.exe`.\r\n - If the behavior was chosen by python developers, it should be documented.\r\n\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-101286\n* gh-101708\n* gh-101709\n* gh-101710\n* gh-101711\n* gh-101712\n* gh-101713\n* gh-101719\n* gh-101721\n* gh-101728\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/mauricelambert","@type":"Person","name":"mauricelambert"},"datePublished":"2023-01-24T11:19:13.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":6},"url":"https://github.com/101283/cpython/issues/101283"}