Message 284860 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	serhiy.storchaka
Recipients	benjamin.peterson, christian.heimes, larry, ned.deily, serhiy.storchaka, symphorien
Date	2017-01-06.21:54:52
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1483739692.56.0.432312637536.issue29125@psf.upfronthosting.co.za>
In-reply-to

Content
Yes this prevents the injection. The injection is possible because the patch is substituted in the string without any escaping. Your fix is not enough. The real path to a Tix installation can contain special characters: '\', '{' or '}'. My patch first sets a path to a Tcl variable (there is no an injection, because special API is used instead of evaluating a generated script), and then use this variable in the script (unlike to Unix shell Tcl doesn't reparse the command after substituting variables).

Yes this prevents the injection.

The injection is possible because the patch is substituted in the string without any escaping. Your fix is not enough. The real path to a Tix installation can contain special characters: '\', '{' or '}'.

My patch first sets a path to a Tcl variable (there is no an injection, because special API is used instead of evaluating a generated script), and then use this variable in the script (unlike to Unix shell Tcl doesn't reparse the command after substituting variables).

History
Date	User	Action	Args
2017-01-06 21:54:52	serhiy.storchaka	set	recipients: + serhiy.storchaka, larry, christian.heimes, benjamin.peterson, ned.deily, symphorien
2017-01-06 21:54:52	serhiy.storchaka	set	messageid: <1483739692.56.0.432312637536.issue29125@psf.upfronthosting.co.za>
2017-01-06 21:54:52	serhiy.storchaka	link	issue29125 messages
2017-01-06 21:54:52	serhiy.storchaka	create