This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Ramchandra Apte
Recipients Arfrever, Ramchandra Apte, asvetlov, gpolo, mark.dickinson, pitrou, skrah, terry.reedy, zach.ware
Date 2012-11-02.04:41:32
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <CAExgZOjYuQ=W=pCakbz75fbWq=0Z6Pn5XbAHSmgEtXhixWKPFg@mail.gmail.com>
In-reply-to <1351801080.77.0.179401829501.issue16248@psf.upfronthosting.co.za>
Content 
On 2 November 2012 01:48, Stefan Krah <report@bugs.python.org> wrote:

>
> Stefan Krah added the comment:
>
> Isn't IDLE supposed to be a Python shell? As I understand this issue,
> you'd have the same "exploit" by adding this to your .bashrc:
>
> echo "EXPLOIT" > /root/exploit
>
>
> Then, as a normal user, run:
>
> sudo bash
>
>
>
> It would be nice to get rid of the exec, but why is this an exploit?
>
> ----------
> nosy: +skrah
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <http://bugs.python.org/issue16248>
> _______________________________________
>

Almost nobody knows that when using tkinter, code in .Tk.py is executed.
(readprofile is not even documented!)
While in your example, it is quite easy to see that it will run .bashrc
History
Date User Action Args
2012-11-02 04:41:33Ramchandra Aptesetrecipients: + Ramchandra Apte, terry.reedy, mark.dickinson, pitrou, gpolo, Arfrever, asvetlov, skrah, zach.ware
2012-11-02 04:41:32Ramchandra Aptelinkissue16248 messages
2012-11-02 04:41:32Ramchandra Aptecreate