[issue16248] Security bug in tkinter allows for untrusted code execution.

Ramchandra Apte added the comment: I made many mistakes in the original bug report. Here is a fixed one: Because Lib/tkinter/__init__.py:1801 uses exec to execute code from a file, it has a security bug. It searches for the file in the home dir. Apparently, on my system, the $HOME variable is

[issue16248] Security bug in tkinter allows for untrusted code execution.

Ramchandra Apte added the comment: specifically, when running Python using sudo (not in a root shell), the $HOME variable is preserved. -- ___ Python tracker ___ ___

[issue16248] Security bug in tkinter allows for untrusted code execution.

Ramchandra Apte added the comment: In Lib/tkinter/__init__.py:1801 , the readprofile function executes untrusted code. -- ___ Python tracker ___

[issue16248] Security bug in tkinter allows for untrusted code execution.

Ramchandra Apte added the comment: s/tkinter.py/tkinter.__init__ -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscri

[issue16248] Security bug in tkinter allows for untrusted code execution.

Changes by Ramchandra Apte : -- type: -> security ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.

[issue16248] Security bug in tkinter allows for untrusted code execution.

New submission from Ramchandra Apte: Because tkinter.py uses exec to execute code from a file, it has a security bug. It searches for the file in the home dir. Apparently, on my system (don't know if its the same on others), the $HOME variable is the same as the non-root one when running Pytho