[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix
Terry J. Reedy
report at bugs.python.org
Sat Jan 14 05:45:14 EST 2017
Terry J. Reedy added the comment:
In the original code, python interpolates tixlib into the string sent to and executed by tcl exec. With the patch, tcl exec does the interpolation. Not knowing anything in particular about tcl's exec, I found a value for tixlib that appears to validate Serhiy's claim that tcl exec does not rescan.
C:\Users\Terry>py -3.5
Python 3.5.2 (v3.5.2:4def2a2901a5, Jun 25 2016, 22:18:55) [MSC v.1900 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import tkinter as tk
>>> tka = tk.Tk().tk
>>> txlib = '} python -c "print(999)"'
>>> tka.setvar('TIX_LIBRARY', txlib)
>>> tka.eval('global autopath; lappend auto_path {%s}' % txlib)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
_tkinter.TclError: extra characters after close-quote
>>> tka.eval('global autopath; lappend auto_path $TIX_LIBRARY')
'{C:\\Programs\\Python35\\tcl\\tcl8.6} C:/Programs/Python35/tcl C:/Programs/lib C:/Programs/Python35/tcl/tk8.6 C:/Programs/Python35/tcl/tk8.6/ttk \\}\\ python\\ -c\\ \\"print(999)\\"'
I don't understand exactly why (or when) TclError is raised. but it is only raised when python does the interpolation. And for this string, only when '}' is present. Without the '}', there is no exception and the interpolated string is simply appended, as with the new $TIX_LIBRARY code.
test_tix, such as it is, passes with the patch. So unless I missed something the patch appears to be both safe and useful.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29125>
_______________________________________
More information about the Python-bugs-list
mailing list