Issue2882

classification

Title:	A cmd.exe in the CWD will be executed unexpectedly
Type:	security	Severity:	normal
Components:		Versions:	Jython 2.7.1, Jython 2.7.2
		Milestone:	Jython 2.7.3

process

Status:	open	Resolution:
Dependencies:		Superseder:
Assigned To:		Nosy List:	jeff.allen
Priority:	normal	Keywords:	easy

Created on 2020-04-22.18:56:21 by jeff.allen, last changed 2020-04-22.18:56:21 by jeff.allen.

Messages
msg13036 (view)	Author: Jeff Allen (jeff.allen)	Date: 2020-04-22.18:56:21
It is identified in https://github.com/NationalSecurityAgency/ghidra/issues/107 that we call "cmd.exe" without specifying the exact path, and that in the event a cmd.exe exists in the working directory, that will be run instead. This can be a trip hazard when working with dangerous material. PySystemState is blamed in the reference, but a search shows that we mention cmd.exe in the posix module too. And there we should consider removing command.com too :) Almost certainly, the right answer is to use COMSPEC to find it, compare the standard library subprocess.py . In CPython that falls back to "cmd.exe" if COMSPEC is not defined. In Jython it uses the list ultimately defined in enum OS .

msg13036 (view)

Author: Jeff Allen (jeff.allen)

Date: 2020-04-22.18:56:21

It is identified in https://github.com/NationalSecurityAgency/ghidra/issues/107 that we call "cmd.exe" without specifying the exact path, and that in the event a cmd.exe exists in the working directory, that will be run instead. This can be a trip hazard when working with dangerous material.

PySystemState is blamed in the reference, but a search shows that we mention cmd.exe in the posix module too. And there we should consider removing command.com too :)

Almost certainly, the right answer is to use COMSPEC to find it, compare the  standard library subprocess.py . In CPython that falls back to "cmd.exe" if COMSPEC is not defined. In Jython it uses the list ultimately defined in enum OS .

History
Date	User	Action	Args
2020-04-22 18:56:21	jeff.allen	create