New submission from Ramchandra Apte: Because tkinter.py uses exec to execute code from a file, it has a security bug. It searches for the file in the home dir. Apparently, on my system (don't know if its the same on others), the $HOME variable is the same as the non-root one when running Python with root priveleges Steps to reproduce: create a file called .Tk.py in your home folder Whatever code is in that file will be executed.
run these three lines of code in Python: import tkinter w = tkinter.Tk() w.mainloop() I will add more details in later comments. ---------- components: Tkinter messages: 173047 nosy: ramchandra.apte priority: normal severity: normal status: open title: Security bug in tkinter allows for untrusted code execution. _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue16248> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
