subject:"\[issue29125\] Shell injection via TIX_LIBRARY when using tkinter.tix"

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2019-11-17 Thread Zachary Ware



Zachary Ware  added the comment:

Nearly 3 years on, the patch looks fine to me (though I would also accept this 
issue as justification for removing Tix ;).

--
versions: +Python 3.8, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-15 Thread Larry Hastings


Larry Hastings added the comment:

If it "has a small attack surface" and affects "a very small number of 
applications", I don't think it's a release blocker.  Demoting to "high" 
priority, which will permit me to release 3.5.3.

--
priority: release blocker -> high

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-15 Thread Larry Hastings


Larry Hastings added the comment:

I'll make you a deal.  If you check this in in the next 3 hours, I'll 
cherry-pick it for 3.5.3.  Otherwise I don't want to hold up the release.  To 
be honest I'm not sure why it's marked as "release blocker" if it's "low 
severity".

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-14 Thread Serhiy Storchaka


Serhiy Storchaka added the comment:

TclError in Terry's example is raised because Tcl script has unpaired braces. 
You should add "{" at the end of TIX_LIBRARY.

Here is working exploit:

$ TIX_LIBRARY="/dev/null}; exec python3 -m this >spoiled; set x {"  python3 -c 
"from tkinter.tix import Tk; Tk()"

It creates the file "spoiled" in current directory containing The Zen of Python.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-14 Thread Terry J. Reedy


Terry J. Reedy added the comment:

In the original code, python interpolates tixlib into the string sent to and 
executed by tcl exec.  With the patch, tcl exec does the interpolation.  Not 
knowing anything in particular about tcl's exec, I found a value for tixlib 
that appears to validate Serhiy's claim that tcl exec does not rescan.

C:\Users\Terry>py -3.5
Python 3.5.2 (v3.5.2:4def2a2901a5, Jun 25 2016, 22:18:55) [MSC v.1900 64 bit 
(AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import tkinter as tk
>>> tka = tk.Tk().tk
>>> txlib =  '} python -c "print(999)"'
>>> tka.setvar('TIX_LIBRARY', txlib)
>>> tka.eval('global autopath; lappend auto_path {%s}' % txlib)
Traceback (most recent call last):
  File "", line 1, in 
_tkinter.TclError: extra characters after close-quote

>>> tka.eval('global autopath; lappend auto_path $TIX_LIBRARY')
'{C:\\Programs\\Python35\\tcl\\tcl8.6} C:/Programs/Python35/tcl C:/Programs/lib 
C:/Programs/Python35/tcl/tk8.6 C:/Programs/Python35/tcl/tk8.6/ttk \\}\\ 
python\\ -c\\ \\"print(999)\\"'

I don't understand exactly why (or when) TclError is raised. but it is only 
raised when python does the interpolation.  And for this string, only when '}' 
is present.  Without the '}', there is no exception and the interpolated string 
is simply appended, as with the new $TIX_LIBRARY code.

test_tix, such as it is, passes with the patch.  So unless I missed something 
the patch appears to be both safe and useful.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-13 Thread Larry Hastings


Larry Hastings added the comment:

Could one of you recent tagees (Terry, Zach) review the patch?  Hoping to tag 
3.5.3 final in less than 48 hours, and I want to cherry-pick the fix for 
this...!

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-10 Thread Serhiy Storchaka


Changes by Serhiy Storchaka :


--
nosy: +terry.reedy, zach.ware

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-10 Thread Larry Hastings


Larry Hastings added the comment:

Well, clearly I'm not qualified to review the patch.  Could someone please 
review it?  I want to cherry-pick the fix for this issue for 3.5.3 final, which 
I tag in about four days.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-06 Thread Serhiy Storchaka


Serhiy Storchaka added the comment:

Yes this prevents the injection.

The injection is possible because the patch is substituted in the string 
without any escaping. Your fix is not enough. The real path to a Tix 
installation can contain special characters: '\', '{' or '}'.

My patch first sets a path to a Tcl variable (there is no an injection, because 
special API is used instead of evaluating a generated script), and then use 
this variable in the script (unlike to Unix shell Tcl doesn't reparse the 
command after substituting variables).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-06 Thread Larry Hastings


Larry Hastings added the comment:

I don't understand the fix.  Does this really prevent the injection?

I would fix it this way:

if tixlib is not None and os.path.exists(tixlib):

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-02 Thread Serhiy Storchaka


Serhiy Storchaka added the comment:

Here is a fix.

--
keywords: +patch
Added file: http://bugs.python.org/file46113/tix_library_shell_injection.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-02 Thread Serhiy Storchaka


Changes by Serhiy Storchaka :


--
stage:  -> patch review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-02 Thread Serhiy Storchaka


Serhiy Storchaka added the comment:

I agreed that this security issue has low severity. Only applications that use 
Tix are vulnerable, and this is very small number of applications.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-02 Thread Christian Heimes


Christian Heimes added the comment:

yeah, sounds totally fine to me. It's a low risk change and the issue has a 
small attack surface. I set the priority to release blocker to draw your 
attention.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-02 Thread Larry Hastings


Larry Hastings added the comment:

This code hasn't changed in years.  So while I believe it's a security bug and 
should be fixed, I don't know if I agree it's a bad enough security bug to stop 
Python 3.5.3rc1, which is literally in the middle of the release process.

I'm guessing this is easily fixed (if not os.path.isfile(tixlib): return), so 
how about we release 3.5.3rc1 with this bug and I'll cherry-pick this fix for 
3.5.3 final.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-02 Thread Christian Heimes


Changes by Christian Heimes :


--
nosy: +benjamin.peterson, christian.heimes, larry, ned.deily
priority: normal -> release blocker

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-01 Thread Serhiy Storchaka


Changes by Serhiy Storchaka :


--
nosy: +serhiy.storchaka
versions: +Python 3.5, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2016-12-31 Thread symphorien


New submission from symphorien:

The tkinter.tix module looks for a Tix installation in the directory specified 
by the TIX_LIBRARY environment variable, but blindly trusts that it is a path 
in the filesystem. This enables a shell injection :

TIX_LIBRARY='/dev/null}; exec gsimplecal;' python2 -c "from Tix import Tk; Tk()"

or 

TIX_LIBRARY='/dev/null}; exec gsimplecal;' python3 -c "from tkinter.tix import 
Tk; Tk()"

Python execs gsimplecal, waits on its completion and then raises a 
tkinter.TclError.

The offending code is here : 
https://github.com/python/cpython/blob/master/Lib/tkinter/tix.py#L204-L208

--
components: Tkinter
messages: 284408
nosy: symphorien
priority: normal
severity: normal
status: open
title: Shell injection via TIX_LIBRARY when using tkinter.tix
type: security
versions: Python 2.7, Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

18 matches

Site Navigation

Mail list logo

Footer information