Stefan Krah added the comment: Ramchandra Apte <rep...@bugs.python.org> wrote: > Almost nobody knows that when using tkinter, code in .Tk.py is executed. > (readprofile is not even documented!) > While in your example, it is quite easy to see that it will run .bashrc
The point of the example is that it's "game over" anyway once an attacker has write privileges to a user's home directory. "sudo bash" is certainly a more common operation than "sudo tkapp.py", and users are not in the habit of auditing .bashrc each time they launch a shell. In fact, I'd probably be more likely to notice a new file ".Tk.py" than a small modification to my .bashrc. That said, I absolutely agree that *ideally* tkinter apps should not execute code from a startup file, especially if the startup file is *not* in the user's home directory. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue16248> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
