[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2019-11-17 Thread Zachary Ware
Zachary Ware added the comment: Nearly 3 years on, the patch looks fine to me (though I would also accept this issue as justification for removing Tix ;). -- versions: +Python 3.8, Python 3.9 ___ Python tracker

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-15 Thread Larry Hastings
Larry Hastings added the comment: If it "has a small attack surface" and affects "a very small number of applications", I don't think it's a release blocker. Demoting to "high" priority, which will permit me to release 3.5.3. -- priority: release blocker -> high

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-15 Thread Larry Hastings
Larry Hastings added the comment: I'll make you a deal. If you check this in in the next 3 hours, I'll cherry-pick it for 3.5.3. Otherwise I don't want to hold up the release. To be honest I'm not sure why it's marked as "release blocker" if it's "low severity". --

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-14 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: TclError in Terry's example is raised because Tcl script has unpaired braces. You should add "{" at the end of TIX_LIBRARY. Here is working exploit: $ TIX_LIBRARY="/dev/null}; exec python3 -m this >spoiled; set x {" python3 -c "from tkinter.tix import Tk;

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-14 Thread Terry J. Reedy
Terry J. Reedy added the comment: In the original code, python interpolates tixlib into the string sent to and executed by tcl exec. With the patch, tcl exec does the interpolation. Not knowing anything in particular about tcl's exec, I found a value for tixlib that appears to validate

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-13 Thread Larry Hastings
Larry Hastings added the comment: Could one of you recent tagees (Terry, Zach) review the patch? Hoping to tag 3.5.3 final in less than 48 hours, and I want to cherry-pick the fix for this...! -- ___ Python tracker

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-10 Thread Serhiy Storchaka
Changes by Serhiy Storchaka : -- nosy: +terry.reedy, zach.ware ___ Python tracker ___

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-10 Thread Larry Hastings
Larry Hastings added the comment: Well, clearly I'm not qualified to review the patch. Could someone please review it? I want to cherry-pick the fix for this issue for 3.5.3 final, which I tag in about four days. -- ___ Python tracker

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-06 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: Yes this prevents the injection. The injection is possible because the patch is substituted in the string without any escaping. Your fix is not enough. The real path to a Tix installation can contain special characters: '\', '{' or '}'. My patch first sets

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-06 Thread Larry Hastings
Larry Hastings added the comment: I don't understand the fix. Does this really prevent the injection? I would fix it this way: if tixlib is not None and os.path.exists(tixlib): -- ___ Python tracker

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-02 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: Here is a fix. -- keywords: +patch Added file: http://bugs.python.org/file46113/tix_library_shell_injection.patch ___ Python tracker

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-02 Thread Serhiy Storchaka
Changes by Serhiy Storchaka : -- stage: -> patch review ___ Python tracker ___

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-02 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: I agreed that this security issue has low severity. Only applications that use Tix are vulnerable, and this is very small number of applications. -- ___ Python tracker

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-02 Thread Christian Heimes
Christian Heimes added the comment: yeah, sounds totally fine to me. It's a low risk change and the issue has a small attack surface. I set the priority to release blocker to draw your attention. -- ___ Python tracker

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-02 Thread Larry Hastings
Larry Hastings added the comment: This code hasn't changed in years. So while I believe it's a security bug and should be fixed, I don't know if I agree it's a bad enough security bug to stop Python 3.5.3rc1, which is literally in the middle of the release process. I'm guessing this is

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-02 Thread Christian Heimes
Changes by Christian Heimes : -- nosy: +benjamin.peterson, christian.heimes, larry, ned.deily priority: normal -> release blocker ___ Python tracker

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2017-01-01 Thread Serhiy Storchaka
Changes by Serhiy Storchaka : -- nosy: +serhiy.storchaka versions: +Python 3.5, Python 3.7 ___ Python tracker ___

[issue29125] Shell injection via TIX_LIBRARY when using tkinter.tix

2016-12-31 Thread symphorien
New submission from symphorien: The tkinter.tix module looks for a Tix installation in the directory specified by the TIX_LIBRARY environment variable, but blindly trusts that it is a path in the filesystem. This enables a shell injection : TIX_LIBRARY='/dev/null}; exec gsimplecal;' python2