From eafce1747dd5def0f999d378e6fc97f70eacfd46 Mon Sep 17 00:00:00 2001
From: Steve Dower <steve.dower@python.org>
Date: Tue, 28 Jan 2020 20:54:33 +1100
Subject: [PATCH 1/3] bpo-39401: Avoid unsafe DLL load on Windows 7 and earlier

---
 .../2020-01-28-20-54-09.bpo-39401.he7h_A.rst         |  1 +
 PC/getpathp.c                                        |  8 +++++---
 .../bootstrap/PythonBootstrapperApplication.cpp      | 12 ++++++++++--
 3 files changed, 16 insertions(+), 5 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2020-01-28-20-54-09.bpo-39401.he7h_A.rst

diff --git a/Misc/NEWS.d/next/Security/2020-01-28-20-54-09.bpo-39401.he7h_A.rst b/Misc/NEWS.d/next/Security/2020-01-28-20-54-09.bpo-39401.he7h_A.rst
new file mode 100644
index 00000000000000..78274acfcb7438
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-01-28-20-54-09.bpo-39401.he7h_A.rst
@@ -0,0 +1 @@
+Avoid unsafe DLL load at startup on Windows 7 and earlier.
diff --git a/PC/getpathp.c b/PC/getpathp.c
index 880ea7b966e5cd..289d4e26066c4c 100644
--- a/PC/getpathp.c
+++ b/PC/getpathp.c
@@ -224,8 +224,9 @@ static void
 join(wchar_t *buffer, const wchar_t *stuff)
 {
     if (_PathCchCombineEx_Initialized == 0) {
-        HMODULE pathapi = LoadLibraryW(L"api-ms-win-core-path-l1-1-0.dll");
-        if (pathapi)
+        HMODULE pathapi = LoadLibraryExW(L"api-ms-win-core-path-l1-1-0.dll", NULL,
+                                         LOAD_LIBRARY_SEARCH_SYSTEM32);
+        if (pathapi) {
             _PathCchCombineEx = (PPathCchCombineEx)GetProcAddress(pathapi, "PathCchCombineEx");
         else
             _PathCchCombineEx = NULL;
@@ -249,7 +250,8 @@ static PPathCchCanonicalizeEx _PathCchCanonicalizeEx;
 static void canonicalize(wchar_t *buffer, const wchar_t *path)
 {
     if (_PathCchCanonicalizeEx_Initialized == 0) {
-        HMODULE pathapi = LoadLibraryW(L"api-ms-win-core-path-l1-1-0.dll");
+        HMODULE pathapi = LoadLibraryExW(L"api-ms-win-core-path-l1-1-0.dll", NULL,
+                                         LOAD_LIBRARY_SEARCH_SYSTEM32);
         if (pathapi) {
             _PathCchCanonicalizeEx = (PPathCchCanonicalizeEx)GetProcAddress(pathapi, "PathCchCanonicalizeEx");
         }
diff --git a/Tools/msi/bundle/bootstrap/PythonBootstrapperApplication.cpp b/Tools/msi/bundle/bootstrap/PythonBootstrapperApplication.cpp
index e88981fc3abb46..d14aeff1904700 100644
--- a/Tools/msi/bundle/bootstrap/PythonBootstrapperApplication.cpp
+++ b/Tools/msi/bundle/bootstrap/PythonBootstrapperApplication.cpp
@@ -3042,8 +3042,16 @@ class PythonBootstrapperApplication : public CBalBaseBootstrapperApplication {
             }
         } else {
             if (IsWindows7SP1OrGreater()) {
-                BalLog(BOOTSTRAPPER_LOG_LEVEL_STANDARD, "Target OS is Windows 7 SP1 or later");
-                return;
+                HMODULE hKernel32 = GetModuleHandleW(L"kernel32");
+                if (hKernel32 && !GetProcAddress(hKernel32, "AddDllDirectory")) {
+                    BalLog(BOOTSTRAPPER_LOG_LEVEL_ERROR, "Detected Windows 7 SP1 without KB2533623");
+                    BalLog(BOOTSTRAPPER_LOG_LEVEL_ERROR, "KB2533623 update is required to continue.");
+                    /* The "MissingSP1" error also specifies updates are required */
+                    LocGetString(_wixLoc, L"#(loc.FailureWin7MissingSP1)", &pLocString);
+                } else {
+                    BalLog(BOOTSTRAPPER_LOG_LEVEL_STANDARD, "Target OS is Windows 7 SP1 or later");
+                    return;
+                }
             } else if (IsWindows7OrGreater()) {
                 BalLog(BOOTSTRAPPER_LOG_LEVEL_ERROR, "Detected Windows 7 RTM");
                 BalLog(BOOTSTRAPPER_LOG_LEVEL_ERROR, "Service Pack 1 is required to continue installation");

From 01942ca56160f442415e7fcf411b63f129f6ab4a Mon Sep 17 00:00:00 2001
From: Steve Dower <steve.dower@python.org>
Date: Tue, 28 Jan 2020 21:26:21 +1100
Subject: [PATCH 2/3] Remove extra brace

---
 PC/getpathp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/PC/getpathp.c b/PC/getpathp.c
index 289d4e26066c4c..e86c376fb4d34e 100644
--- a/PC/getpathp.c
+++ b/PC/getpathp.c
@@ -226,7 +226,7 @@ join(wchar_t *buffer, const wchar_t *stuff)
     if (_PathCchCombineEx_Initialized == 0) {
         HMODULE pathapi = LoadLibraryExW(L"api-ms-win-core-path-l1-1-0.dll", NULL,
                                          LOAD_LIBRARY_SEARCH_SYSTEM32);
-        if (pathapi) {
+        if (pathapi)
             _PathCchCombineEx = (PPathCchCombineEx)GetProcAddress(pathapi, "PathCchCombineEx");
         else
             _PathCchCombineEx = NULL;

From 9e3d92d293e37f7bc9b5f9b6aa2dd3ba40b07c37 Mon Sep 17 00:00:00 2001
From: Steve Dower <steve.dower@python.org>
Date: Thu, 30 Jan 2020 16:51:37 +1100
Subject: [PATCH 3/3] Update 2020-01-28-20-54-09.bpo-39401.he7h_A.rst

---
 .../next/Security/2020-01-28-20-54-09.bpo-39401.he7h_A.rst      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Misc/NEWS.d/next/Security/2020-01-28-20-54-09.bpo-39401.he7h_A.rst b/Misc/NEWS.d/next/Security/2020-01-28-20-54-09.bpo-39401.he7h_A.rst
index 78274acfcb7438..5071e126b70d02 100644
--- a/Misc/NEWS.d/next/Security/2020-01-28-20-54-09.bpo-39401.he7h_A.rst
+++ b/Misc/NEWS.d/next/Security/2020-01-28-20-54-09.bpo-39401.he7h_A.rst
@@ -1 +1 @@
-Avoid unsafe DLL load at startup on Windows 7 and earlier.
+Avoid unsafe load of ``api-ms-win-core-path-l1-1-0.dll`` at startup on Windows 7.