[New-bugs-announce] [issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix
symphorien
report at bugs.python.org
Sat Dec 31 14:00:30 EST 2016
New submission from symphorien:
The tkinter.tix module looks for a Tix installation in the directory specified by the TIX_LIBRARY environment variable, but blindly trusts that it is a path in the filesystem. This enables a shell injection :
TIX_LIBRARY='/dev/null}; exec gsimplecal;' python2 -c "from Tix import Tk; Tk()"
or
TIX_LIBRARY='/dev/null}; exec gsimplecal;' python3 -c "from tkinter.tix import Tk; Tk()"
Python execs gsimplecal, waits on its completion and then raises a tkinter.TclError.
The offending code is here : https://github.com/python/cpython/blob/master/Lib/tkinter/tix.py#L204-L208
----------
components: Tkinter
messages: 284408
nosy: symphorien
priority: normal
severity: normal
status: open
title: Shell injection via TIX_LIBRARY when using tkinter.tix
type: security
versions: Python 2.7, Python 3.6
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29125>
_______________________________________
More information about the New-bugs-announce
mailing list