Message 174479 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	skrah
Recipients	Arfrever, Ramchandra Apte, asvetlov, gpolo, mark.dickinson, pitrou, skrah, terry.reedy, zach.ware
Date	2012-11-01.21:37:44
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1351805865.2.0.186152174041.issue16248@psf.upfronthosting.co.za>
In-reply-to

Content
I also don't find the scenario where an attacker has write privileges to a user's home directory so disturbing -- there are juicier targets (like .bashrc). This constructed example using /tmp is a little more troubling: $ cd /tmp $ echo 'print("exploit")' > .Tk.py $ export XAUTHORITY=$HOME/.Xauthority $ unset HOME $ python3.3 >>>import tkinter >>> w = tkinter.Tk() /usr/local/lib/python3.3/tkinter/__init__.py:1817: ResourceWarning: unclosed file <_io.TextIOWrapper name='./.Tk.py' mode='r' encoding='ANSI_X3.4-1968'> exec(open(class_py).read(), dir) exploit

I also don't find the scenario where an attacker has write privileges
to a user's home directory so disturbing -- there are juicier targets
(like .bashrc).


This constructed example using /tmp is a little more troubling:

$ cd /tmp
$ echo 'print("exploit")' > .Tk.py
$ export XAUTHORITY=$HOME/.Xauthority
$ unset HOME
$ python3.3

>>>import tkinter
>>> w = tkinter.Tk()
/usr/local/lib/python3.3/tkinter/__init__.py:1817: ResourceWarning: unclosed file <_io.TextIOWrapper name='./.Tk.py' mode='r' encoding='ANSI_X3.4-1968'>
  exec(open(class_py).read(), dir)
exploit

History
Date	User	Action	Args
2012-11-01 21:37:45	skrah	set	recipients: + skrah, terry.reedy, mark.dickinson, pitrou, gpolo, Arfrever, asvetlov, Ramchandra Apte, zach.ware
2012-11-01 21:37:45	skrah	set	messageid: <1351805865.2.0.186152174041.issue16248@psf.upfronthosting.co.za>
2012-11-01 21:37:45	skrah	link	issue16248 messages
2012-11-01 21:37:44	skrah	create