Serhiy Storchaka added the comment:

Yes this prevents the injection.

The injection is possible because the patch is substituted in the string 
without any escaping. Your fix is not enough. The real path to a Tix 
installation can contain special characters: '\', '{' or '}'.

My patch first sets a path to a Tcl variable (there is no an injection, because 
special API is used instead of evaluating a generated script), and then use 
this variable in the script (unlike to Unix shell Tcl doesn't reparse the 
command after substituting variables).

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29125>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to