This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author serhiy.storchaka
Recipients benjamin.peterson, christian.heimes, larry, ned.deily, serhiy.storchaka, symphorien
Date 2017-01-06.21:54:52
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1483739692.56.0.432312637536.issue29125@psf.upfronthosting.co.za>
In-reply-to
Content
Yes this prevents the injection.

The injection is possible because the patch is substituted in the string without any escaping. Your fix is not enough. The real path to a Tix installation can contain special characters: '\', '{' or '}'.

My patch first sets a path to a Tcl variable (there is no an injection, because special API is used instead of evaluating a generated script), and then use this variable in the script (unlike to Unix shell Tcl doesn't reparse the command after substituting variables).
History
Date User Action Args
2017-01-06 21:54:52serhiy.storchakasetrecipients: + serhiy.storchaka, larry, christian.heimes, benjamin.peterson, ned.deily, symphorien
2017-01-06 21:54:52serhiy.storchakasetmessageid: <1483739692.56.0.432312637536.issue29125@psf.upfronthosting.co.za>
2017-01-06 21:54:52serhiy.storchakalinkissue29125 messages
2017-01-06 21:54:52serhiy.storchakacreate