New submission from symphorien: The tkinter.tix module looks for a Tix installation in the directory specified by the TIX_LIBRARY environment variable, but blindly trusts that it is a path in the filesystem. This enables a shell injection :
TIX_LIBRARY='/dev/null}; exec gsimplecal;' python2 -c "from Tix import Tk; Tk()" or TIX_LIBRARY='/dev/null}; exec gsimplecal;' python3 -c "from tkinter.tix import Tk; Tk()" Python execs gsimplecal, waits on its completion and then raises a tkinter.TclError. The offending code is here : https://github.com/python/cpython/blob/master/Lib/tkinter/tix.py#L204-L208 ---------- components: Tkinter messages: 284408 nosy: symphorien priority: normal severity: normal status: open title: Shell injection via TIX_LIBRARY when using tkinter.tix type: security versions: Python 2.7, Python 3.6 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue29125> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
