Issue #16248: Disable code execution from the user's home directory by tkinter when...

Patch by Zachary Ware.

diff --git a/Lib/lib-tk/Tkinter.py b/Lib/lib-tk/Tkinter.py
index 795cc453fff76b80224e87c507816187c1fe0fd9..cec31fd9ab12bd2eabfb78303c336e47d9420e22 100644 (file)
--- a/Lib/lib-tk/Tkinter.py
+++ b/Lib/lib-tk/Tkinter.py
@@ -1709,7 +1709,9 @@ class Tk(Misc, Wm):
         self.tk = _tkinter.create(screenName, baseName, className, interactive, wantobjects, useTk, sync, use)
         if useTk:
             self._loadtk()
-        self.readprofile(baseName, className)
+        if not sys.flags.ignore_environment:
+            # Issue #16248: Honor the -E flag to avoid code injection.
+            self.readprofile(baseName, className)
     def loadtk(self):
         if not self._tkloaded:
             self.tk.loadtk()

diff --git a/Misc/NEWS b/Misc/NEWS
index ecf0aa32c35a50850c59e4e15a7c9cbba591cc85..0db76a962ab7bed8262daad1e3809430c893f3c9 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -160,6 +160,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #16248: Disable code execution from the user's home directory by
+  tkinter when the -E flag is passed to Python.  Patch by Zachary Ware.
+
 - Issue #16628: Fix a memory leak in ctypes.resize().
 
 - Issue #13614: Fix setup.py register failure with invalid rst in description.