Message284860
Yes this prevents the injection.
The injection is possible because the patch is substituted in the string without any escaping. Your fix is not enough. The real path to a Tix installation can contain special characters: '\', '{' or '}'.
My patch first sets a path to a Tcl variable (there is no an injection, because special API is used instead of evaluating a generated script), and then use this variable in the script (unlike to Unix shell Tcl doesn't reparse the command after substituting variables). |
|
Date |
User |
Action |
Args |
2017-01-06 21:54:52 | serhiy.storchaka | set | recipients:
+ serhiy.storchaka, larry, christian.heimes, benjamin.peterson, ned.deily, symphorien |
2017-01-06 21:54:52 | serhiy.storchaka | set | messageid: <1483739692.56.0.432312637536.issue29125@psf.upfronthosting.co.za> |
2017-01-06 21:54:52 | serhiy.storchaka | link | issue29125 messages |
2017-01-06 21:54:52 | serhiy.storchaka | create | |
|