-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Command injection is possible via activation script #2768
Labels
Comments
y5c4l3
added a commit
to y5c4l3/virtualenv
that referenced
this issue
Sep 27, 2024
This patch adds `quote` method in `ViaTemplateActivator` so that the magic template strings can be quoted correctly when replacing. This mitigates potential command injection (pypa#2768). Signed-off-by: y5c4l3 <y5c4l3@proton.me>
y5c4l3
added a commit
to y5c4l3/virtualenv
that referenced
this issue
Sep 27, 2024
This patch adds `quote` method in `ViaTemplateActivator` so that the magic template strings can be quoted correctly when replacing. This mitigates potential command injection (pypa#2768). Signed-off-by: y5c4l3 <y5c4l3@proton.me>
y5c4l3
added a commit
to y5c4l3/virtualenv
that referenced
this issue
Sep 27, 2024
This patch adds `quote` method in `ViaTemplateActivator` so that the magic template strings can be quoted correctly when replacing. This mitigates potential command injection (pypa#2768). Signed-off-by: y5c4l3 <y5c4l3@proton.me>
5 tasks
y5c4l3
added a commit
to y5c4l3/virtualenv
that referenced
this issue
Sep 27, 2024
This patch adds `quote` method in `ViaTemplateActivator` so that the magic template strings can be quoted correctly when replacing. This mitigates potential command injection (pypa#2768). Signed-off-by: y5c4l3 <y5c4l3@proton.me>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue
This issue was originally reported to Tidelift, with disclosure negotiated with the maintainer.
The activation script in
virtualenv
is command injectable via a crafted path:The execution path is low-risk since users clearly know what they are doing. However, it makes downstream attack vectors possible. More details on possible exploits of a famous downstream were disclosed to the maintainers of that project and
virtualenv
.Environment
The text was updated successfully, but these errors were encountered: