Ramchandra Apte added the comment: On 2 November 2012 01:48, Stefan Krah <rep...@bugs.python.org> wrote:
> > Stefan Krah added the comment: > > Isn't IDLE supposed to be a Python shell? As I understand this issue, > you'd have the same "exploit" by adding this to your .bashrc: > > echo "EXPLOIT" > /root/exploit > > > Then, as a normal user, run: > > sudo bash > > > > It would be nice to get rid of the exec, but why is this an exploit? > > ---------- > nosy: +skrah > > _______________________________________ > Python tracker <rep...@bugs.python.org> > <http://bugs.python.org/issue16248> > _______________________________________ > Almost nobody knows that when using tkinter, code in .Tk.py is executed. (readprofile is not even documented!) While in your example, it is quite easy to see that it will run .bashrc ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue16248> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com