New submission from Serhiy Storchaka: _posixsubprocess.fork_exec() takes a sequence of file descriptors. It first validates it, and since the validation is passed uses it without checking for errors. But since __len__, __getitem__ and __int__ can execute user code and release GIL, errors can occur after the validation. This can cause a crash.
Proposed patch fixes this by the simplest way -- it restricts the type of a sequence to tuple and types of elements to int. Since _posixsubprocess is private module this shouldn't break third-party code. Other issue with _posixsubprocess.fork_exec() was that it converts args to a tuple or a list and iterate it without checking if the size is changed. ---------- components: Extension Modules messages: 291595 nosy: serhiy.storchaka priority: normal severity: normal stage: patch review status: open title: Insufficient validation in _posixsubprocess.fork_exec() type: crash versions: Python 3.5, Python 3.6, Python 3.7 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue30065> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
