Skip to content

CVE-2023-40590 fix capitalized all environment variables on Windows #1646

New issue
New issue
Closed
#1650
Closed
CVE-2023-40590 fix capitalized all environment variables on Windows#1646
#1650
Labels
acknowledgedhelp wanted
@irwand

Description

@irwand
irwand
opened on Sep 6, 2023

This fix:
6029211
capitalized all environment variables on Windows. It can be illustrated by this short program:

import subprocess

print(subprocess.check_output(
    "set | findstr /c:SystemRoot /i", shell=True, universal_newlines=True
))

import git

print(subprocess.check_output(
    "set | findstr /c:SystemRoot /i", shell=True, universal_newlines=True
))

The output is:

SystemRoot=C:\Windows

SYSTEMROOT=C:\Windows

This side effect breaks our use case currently. We use gnu make in cygwin for our build, in which all environment variables are case sensitive.

The core problem was unittest.mock.patch.dict(os.environ, {"NoDefaultCurrentDirectoryInExePath": "1"}) -- in which it will try to treat os.environ as a dictionary, but os.environ is not just a simple dictionary. It actually remembers the original casing of the environment variable. Unfortunately when reading it as dictionary it capitalize all letters.

We can also observe the same side effect with this code below:

import os
import subprocess
import unittest.mock

print(subprocess.check_output(
    "set | findstr /c:SystemRoot /i", shell=True, universal_newlines=True
))

with unittest.mock.patch.dict(os.environ, {"NoDefaultCurrentDirectoryInExePath": "1"}):
    pass

print(subprocess.check_output(
    "set | findstr /c:SystemRoot /i", shell=True, universal_newlines=True
))

The side effect is the same as above.

Metadata

Metadata

Assignees

No one assigned

    Labels

    acknowledgedhelp wanted

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions