Issue2882

classification
Title: A cmd.exe in the CWD will be executed unexpectedly
Type: security Severity: normal
Components: Versions: Jython 2.7.1, Jython 2.7.2
Milestone: Jython 2.7.3
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: jeff.allen
Priority: normal Keywords: easy

Created on 2020-04-22.18:56:21 by jeff.allen, last changed 2022-05-07.06:47:28 by jeff.allen.

Messages
msg13036 (view) Author: Jeff Allen (jeff.allen) Date: 2020-04-22.18:56:21
It is identified in https://github.com/NationalSecurityAgency/ghidra/issues/107 that we call "cmd.exe" without specifying the exact path, and that in the event a cmd.exe exists in the working directory, that will be run instead. This can be a trip hazard when working with dangerous material.

PySystemState is blamed in the reference, but a search shows that we mention cmd.exe in the posix module too. And there we should consider removing command.com too :)

Almost certainly, the right answer is to use COMSPEC to find it, compare the  standard library subprocess.py . In CPython that falls back to "cmd.exe" if COMSPEC is not defined. In Jython it uses the list ultimately defined in enum OS .
msg13212 (view) Author: Jeff Allen (jeff.allen) Date: 2022-05-07.06:47:28
Also https://github.com/jython/jython/pull/136.  Fixed in
https://github.com/jython/jython/commit/15e6613ab8c7ac8a7b6de72a51bf32a2584f9397
https://github.com/jython/jython/commit/bd6dc9443d0c22d903a2482aac03c95f8dcea373
History
Date User Action Args
2022-05-07 06:47:28jeff.allensetstatus: open -> closed
resolution: fixed
messages: + msg13212
2020-04-22 18:56:21jeff.allencreate