[CVE-2024-9287] venv activation scripts do not quote strings properly #124651
Description
Bug report
Bug description:
Crafted paths break the script templates:
envname='";uname -a;"'
mkdir "$envname"
cd "$envname"
python3 -m venv .
. ./bin/activateLinux archlinux 6.10.6-arch1-1 #1 SMP PREEMPT_DYNAMIC Mon, 19 Aug 2024 17:02:39 +0000 x86_64 GNU/Linux
Like pypa/virtualenv#2768 the execution path itself is low-risk, but it enables many potential downstream attack vectors. Downstream projects that automatically initialize and activate venv at a controllable path (e.g. read from repo configuration file) could execute unexpected commands.
CPython versions tested on:
3.8, 3.9, 3.10, 3.11, 3.12, 3.13, CPython main branch
Operating systems tested on:
Linux
Linked PRs
- gh-124651: Quote template strings in
venvactivation scripts #124712 - [3.13] gh-124651: Quote template strings in
venvactivation scripts (GH-124712) #125813 - [3.12] gh-124651: Quote template strings in
venvactivation scripts (GH-124712) #125947 - [3.12] gh-124651: Quote template strings in
venvactivation scripts (GH-124712) #126185 - [3.11] gh-124651: Quote template strings in
venvactivation scripts (GH-124712) (GH-126185) #126269 - [3.10] gh-124651: Quote template strings in
venvactivation scripts (GH-124712) (GH-126185) (#126269) #126300 - [3.9] gh-124651: Quote template strings in
venvactivation scripts (GH-124712) (GH-126185) (#126269) #126301