[CVE-2024-9287] `venv` activation scripts do not quote strings properly

[y5c4l3]

Bug report

Bug description:

Crafted paths break the script templates:

envname='";uname -a;"'
mkdir "$envname"
cd "$envname"
python3 -m venv .
. ./bin/activate

Linux archlinux 6.10.6-arch1-1 #1 SMP PREEMPT_DYNAMIC Mon, 19 Aug 2024 17:02:39 +0000 x86_64 GNU/Linux

Like pypa/virtualenv#2768 the execution path itself is low-risk, but it enables many potential downstream attack vectors. Downstream projects that automatically initialize and activate venv at a controllable path (e.g. read from repo configuration file) could execute unexpected commands.

CPython versions tested on:

3.8, 3.9, 3.10, 3.11, 3.12, 3.13, CPython main branch

Operating systems tested on:

Linux

Linked PRs

• gh-124651: Quote template strings in venv activation scripts #124712
• [3.13] gh-124651: Quote template strings in venv activation scripts (GH-124712) #125813
• [3.12] gh-124651: Quote template strings in venv activation scripts (GH-124712) #125947
• [3.12] gh-124651: Quote template strings in venv activation scripts (GH-124712) #126185
• [3.11] gh-124651: Quote template strings in venv activation scripts (GH-124712) (GH-126185) #126269
• [3.10] gh-124651: Quote template strings in venv activation scripts (GH-124712) (GH-126185) (#126269) #126300
• [3.9] gh-124651: Quote template strings in venv activation scripts (GH-124712) (GH-126185) (#126269) #126301

[sethmlarson]

Hey @y5c4l3, thanks for reporting this. We're going to treat this as a low-risk security issue. You or anyone else can submit a fix normally. If you have questions about this, send an email to security@python.org.

[y5c4l3]

@sethmlarson Thanks for the reply! Could you please help me with a code review for this PR as well as #124155? The code owner for venv seems to be unavailable recently.

[gpshead]

can we keep this open until all of the security branch backports are done?