CVE-2023-40590 fix capitalized all environment variables on Windows · Issue #1646 · gitpython-developers/GitPython (original) (raw)

This fix:
6029211
capitalized all environment variables on Windows. It can be illustrated by this short program:

import subprocess

print(subprocess.check_output(
    "set | findstr /c:SystemRoot /i", shell=True, universal_newlines=True
))

import git

print(subprocess.check_output(
    "set | findstr /c:SystemRoot /i", shell=True, universal_newlines=True
))

The output is:

SystemRoot=C:\Windows

SYSTEMROOT=C:\Windows

This side effect breaks our use case currently. We use gnu make in cygwin for our build, in which all environment variables are case sensitive.

The core problem was unittest.mock.patch.dict(os.environ, {"NoDefaultCurrentDirectoryInExePath": "1"}) -- in which it will try to treat os.environ as a dictionary, but os.environ is not just a simple dictionary. It actually remembers the original casing of the environment variable. Unfortunately when reading it as dictionary it capitalize all letters.

We can also observe the same side effect with this code below:

import os
import subprocess
import unittest.mock

print(subprocess.check_output(
    "set | findstr /c:SystemRoot /i", shell=True, universal_newlines=True
))

with unittest.mock.patch.dict(os.environ, {"NoDefaultCurrentDirectoryInExePath": "1"}):
    pass

print(subprocess.check_output(
    "set | findstr /c:SystemRoot /i", shell=True, universal_newlines=True
))

The side effect is the same as above.