[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix
Serhiy Storchaka
report at bugs.python.org
Fri Jan 6 16:54:52 EST 2017
Serhiy Storchaka added the comment:
Yes this prevents the injection.
The injection is possible because the patch is substituted in the string without any escaping. Your fix is not enough. The real path to a Tix installation can contain special characters: '\', '{' or '}'.
My patch first sets a path to a Tcl variable (there is no an injection, because special API is used instead of evaluating a generated script), and then use this variable in the script (unlike to Unix shell Tcl doesn't reparse the command after substituting variables).
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29125>
_______________________________________
More information about the Python-bugs-list
mailing list