Serhiy Storchaka added the comment:
Yes this prevents the injection.
The injection is possible because the patch is substituted in the string
without any escaping. Your fix is not enough. The real path to a Tix
installation can contain special characters: '\', '{' or '}'.
My patch first sets a path to a Tcl variable (there is no an injection, because
special API is used instead of evaluating a generated script), and then use
this variable in the script (unlike to Unix shell Tcl doesn't reparse the
command after substituting variables).
----------
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue29125>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
