Bug report - Undocumented risky behaviour in subprocess module

When using subprocess.Popen with shell=True on Windows and without a COMSPEC environment variable, a cmd.exe is launched. The problem is the cmd.exe full path is not written, Windows will search the executable in the current directory and in the PATH. If an arbitrary executable file is written to the current directory or to a directory in the PATH, it can be run instead of the real cmd.exe.

See the code here and a POC here.

• This risky behaviour can be patched by replacing cmd.exe string by C:\WINDOWS\system32\cmd.exe.
• If the behavior was chosen by python developers, it should be documented.

Linked PRs

• gh-101283: Try to load the fallback cmd.exe by an absolute path #101286
• [3.10] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) #101708
• [3.9] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) #101709
• [3.8] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) #101710
• [3.11] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) #101711
• gh-101283: Fix use of unbound variable #101712
• [3.7] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) #101713
• gh-101283: Version was just released, so should be changed in 3.11.3 #101719
• [3.11] gh-101283: Version was just released, so should be changed in 3.11.3 (GH-101719) #101721
• gh-101283: Fix the versionchanged of gh-101283 (3.12 only) #101728