Skip to content

/ cpython

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[3.7] bpo-39401: Avoid unsafe DLL load on Windows 7 and earlier (GH-18231) #18232

Open
wants to merge 1 commit into
base: 3.7
from
Open

[3.7] bpo-39401: Avoid unsafe DLL load on Windows 7 and earlier (GH-18231) #18232

wants to merge 1 commit into from
+15 −4

Conversation

@zooba
Copy link
Member

zooba commented Jan 28, 2020
edited by bedevere-bot

https://bugs.python.org/issue39401
@zooba
bpo-39401: Avoid unsafe DLL load on Windows 7 and earlier
Loading status checks…
394b15a
@zooba zooba requested a review from python/windows-team as a code owner Jan 28, 2020
@anthonywee
anthonywee reviewed Jan 28, 2020
View changes
PC/getpathp.c
@@ -245,7 +245,8 @@ static void
join(wchar_t *buffer, const wchar_t *stuff)
{
if (_PathCchCombineEx_Initialized == 0) {
HMODULE pathapi = LoadLibraryW(L"api-ms-win-core-path-l1-1-0.dll");
HMODULE pathapi = LoadLibraryExW(L"api-ms-win-core-path-l1-1-0.dll", NULL,

This comment has been minimized.

Sign in to view
Copy link
@anthonywee

anthonywee Jan 28, 2020
edited

Contributor

Do we need to check that the LOAD_LIBRARY_SEARCH_ flags are available on the machine? It looks like KB2533623
needs to be installed: https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryexw

This comment has been minimized.

Sign in to view
Copy link
@zooba

zooba Jan 28, 2020

Author Member

The check is in the installer (I backported it for 3.7).

Considering Windows 7 is EOL, I don't think it's unreasonable to require the update.

This comment has been minimized.

Sign in to view
Copy link
@anthonywee

anthonywee Jan 28, 2020

Contributor

Ah cool, just noticed that. Thanks!
@anthonywee
anthonywee reviewed Jan 28, 2020
View changes
PC/getpathp.c
@@ -245,7 +245,8 @@ static void
join(wchar_t *buffer, const wchar_t *stuff)
{
if (_PathCchCombineEx_Initialized == 0) {
HMODULE pathapi = LoadLibraryW(L"api-ms-win-core-path-l1-1-0.dll");
HMODULE pathapi = LoadLibraryExW(L"api-ms-win-core-path-l1-1-0.dll", NULL,

This comment has been minimized.

Sign in to view
Copy link
@anthonywee

anthonywee Jan 28, 2020

Contributor

Here's what I was thinking:

Suggested change
HMODULE pathapi = LoadLibraryExW(L"api-ms-win-core-path-l1-1-0.dll", NULL,
_PathCchCombineEx = NULL;
if (GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "AddDllDirectory") != NULL) {
/* Check that we can use the LOAD_LIBRARY_SEARCH_SYSTEM32 flag below by ensuring
the AddDllDirectory method exists first */
HMODULE pathapi = LoadLibraryExW(L"api-ms-win-core-path-l1-1-0.dll", NULL,
LOAD_LIBRARY_SEARCH_SYSTEM32);
if (pathapi) {
_PathCchCombineEx = (PPathCchCombineEx)GetProcAddress(pathapi, "PathCchCombineEx");
}
}

This comment has been minimized.

Sign in to view
Copy link
@anthonywee

anthonywee Jan 28, 2020

Contributor

(the suggestion isn't exactly correct since the GitHub suggestion was only for a single line)
@zooba zooba self-assigned this Jan 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anthonywee anthonywee

@python/windows-team windows-team

Assignees

@zooba zooba

Labels
CLA signed awaiting core review type-security
Projects
None yet
Milestone
No milestone
4 participants
@zooba @anthonywee @the-knights-who-say-ni @bedevere-bot
You can’t perform that action at this time.