Skip to content

Security: Remove unsafe PowerShell fallback in WSL #866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
RinZ27 wants to merge 3 commits into
base: dev
Choose a base branch
from
+21 −10
Open

Security: Remove unsafe PowerShell fallback in WSL #866

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7d97417
security: remove unsafe PowerShell fallback in WSL
RinZ27 Dec 30, 2025
19e120e
Security fix for WSL and added claims param to ROPC flow
RinZ27 Jan 6, 2026
3f653e0
Revert accidental changes to msal/application.py
RinZ27 Jan 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions msal/application.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,9 +77,9 @@ def _extract_cert_and_thumbprints(cert):
[1:-1] # Strip the "--- header ---" and "--- footer ---"
)
]
# https://cryptography.io/en/latest/x509/reference/#x-509-certificate-object
sha256_thumbprint = cert.fingerprint(hashes.SHA256()).hex() # Requires cryptography 0.7+
sha1_thumbprint = cert.fingerprint(hashes.SHA1()).hex() # Requires cryptography 0.7+
# https://cryptography.io/en/latest/x509/reference/#x-509-certificate-object - Requires cryptography 0.7+
sha256_thumbprint = cert.fingerprint(hashes.SHA256()).hex()
sha1_thumbprint = cert.fingerprint(hashes.SHA1()).hex() # CodeQL [SM02167] for legacy support such as ADFS
return sha256_thumbprint, sha1_thumbprint, x5c

def _parse_pfx(pfx_path, passphrase_bytes):
Expand Down
25 changes: 18 additions & 7 deletions msal/oauth2cli/authcode.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,15 +76,26 @@ def _browse(auth_uri, browser_name=None): # throws ImportError, webbrowser.Erro

# In WSL which doesn't have www-browser, try launching browser with PowerShell
if not browser_opened and is_wsl():
try:
import subprocess
# https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe
# Ampersand (&) should be quoted
exit_code = subprocess.call(
['powershell.exe', '-NoProfile', '-Command', 'Start-Process "{}"'.format(auth_uri)])
import subprocess
try: # Try wslview first, which is the recommended way on WSL
# https://github.com/wslutilities/wslu
exit_code = subprocess.call(['wslview', auth_uri])
browser_opened = exit_code == 0
except FileNotFoundError: # WSL might be too old
except FileNotFoundError: # wslview might not be installed
pass
if not browser_opened:
try:
# Fallback to powershell.exe, using -EncodedCommand to prevent injection.
# https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe
import base64
# PowerShell expects UTF-16LE for EncodedCommand
cmd = u'Start-Process "{}"'.format(auth_uri.replace('"', '`"'))
encoded_cmd = base64.b64encode(cmd.encode('utf-16-le')).decode('ascii')
exit_code = subprocess.call(
['powershell.exe', '-NoProfile', '-NonInteractive', '-EncodedCommand', encoded_cmd])
browser_opened = exit_code == 0
except (FileNotFoundError, ImportError): # WSL might be too old
pass
return browser_opened


Expand Down