Serhiy Storchaka added the comment: Yes this prevents the injection.
The injection is possible because the patch is substituted in the string without any escaping. Your fix is not enough. The real path to a Tix installation can contain special characters: '\', '{' or '}'. My patch first sets a path to a Tcl variable (there is no an injection, because special API is used instead of evaluating a generated script), and then use this variable in the script (unlike to Unix shell Tcl doesn't reparse the command after substituting variables). ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue29125> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com