Message174479
I also don't find the scenario where an attacker has write privileges
to a user's home directory so disturbing -- there are juicier targets
(like .bashrc).
This constructed example using /tmp is a little more troubling:
$ cd /tmp
$ echo 'print("exploit")' > .Tk.py
$ export XAUTHORITY=$HOME/.Xauthority
$ unset HOME
$ python3.3
>>>import tkinter
>>> w = tkinter.Tk()
/usr/local/lib/python3.3/tkinter/__init__.py:1817: ResourceWarning: unclosed file <_io.TextIOWrapper name='./.Tk.py' mode='r' encoding='ANSI_X3.4-1968'>
exec(open(class_py).read(), dir)
exploit |
|
Date |
User |
Action |
Args |
2012-11-01 21:37:45 | skrah | set | recipients:
+ skrah, terry.reedy, mark.dickinson, pitrou, gpolo, Arfrever, asvetlov, Ramchandra Apte, zach.ware |
2012-11-01 21:37:45 | skrah | set | messageid: <1351805865.2.0.186152174041.issue16248@psf.upfronthosting.co.za> |
2012-11-01 21:37:45 | skrah | link | issue16248 messages |
2012-11-01 21:37:44 | skrah | create | |
|