Use full path of cmd.exe (#136)

This patch prevents running cmd.exe from the working directory, considered insecure by CVE-2019-17664, instead finding it via the environment variable ComSpec.
jython · May 2, 2022 · 15e6613 · 15e6613
1 parent 3dd105a
commit 15e6613
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 1 deletion.
diff --git a/ACKNOWLEDGMENTS b/ACKNOWLEDGMENTS
@@ -189,6 +189,7 @@ Jython in ways large and small, in no particular order:
     Han Siang Phua
     Elisha Hollander
     Thierry Guérin
+    Xiaoyin Liu
     Joe Shannon
 
 Local Variables:

diff --git a/NEWS b/NEWS
@@ -15,6 +15,7 @@ Jython 2.7.3a1
     - [ GH-150 ] Upgrade Netty to 4.1.73 (various CVEs)
     - [ GH-138 ] Upgrade Guava to 31.0.1 (CVE-2020-8908)
     - [ GH-139 ] Make gradlew executable on Unix/Mac
+    - [ GH-136 ] Use full path of cmd.exe (CVE-2019-17664)
     - [ GH-129 ] Only attempt to open source/bytecode if readable (GH-93)
     - [ GH-128 ] Support PYTHONDONTWRITEBYTECODE environment variable
     - [ GH-119 ] array.array itemsize and serialisation anomalies for unsigned types

diff --git a/src/org/python/core/PySystemState.java b/src/org/python/core/PySystemState.java
@@ -1785,7 +1785,7 @@ public static String getSystemVersionString() {
             // "Microsoft Windows [版本 10.0.17134.472]"
             // We match the dots and digits within square brackets.
             Pattern p = Pattern.compile("\\[.* ([\\d.]+)\\]");
-            Matcher m = p.matcher(Py.getCommandResult("cmd.exe", "/c", "ver"));
+            Matcher m = p.matcher(Py.getCommandResult(System.getenv("ComSpec"), "/c", "ver"));
             return m.find() ? m.group(1) : "";
         } else {
             return Py.getCommandResult("uname", "-v");