Issue #16248: Disable code execution from the user's home directory by tkinter when...

author Antoine Pitrou <solipsis@pitrou.net>

Sun, 9 Dec 2012 13:46:18 +0000 (14:46 +0100)

committer Antoine Pitrou <solipsis@pitrou.net>

Sun, 9 Dec 2012 13:46:18 +0000 (14:46 +0100)
author Antoine Pitrou <solipsis@pitrou.net>
Sun, 9 Dec 2012 13:46:18 +0000 (14:46 +0100)
committer Antoine Pitrou <solipsis@pitrou.net>
Sun, 9 Dec 2012 13:46:18 +0000 (14:46 +0100)
diff --git a/Lib/tkinter/__init__.py b/Lib/tkinter/__init__.py

index 643026ebf5e6c7f756eefd1d654b353e132d3663..67a2f9a327fba680df57a2e90e09777f8ef7336a 100644 (file)
--- a/Lib/tkinter/__init__.py
+++ b/Lib/tkinter/__init__.py
@@ -1698,7 +1698,9 @@ class Tk(Misc, Wm):
          self.tk = _tkinter.create(screenName, baseName, className, interactive, wantobjects, useTk, sync, use)
          if useTk:
              self._loadtk()
-        self.readprofile(baseName, className)
+        if not sys.flags.ignore_environment:
+            # Issue #16248: Honor the -E flag to avoid code injection.
+            self.readprofile(baseName, className)
      def loadtk(self):
          if not self._tkloaded:
              self.tk.loadtk()
diff --git a/Misc/NEWS b/Misc/NEWS

index d90b40d05fff863e0c0f91295787aab7fb1d38ef..b43799fd201afd814c8b4c1514100ff783d5f898 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -179,6 +179,9 @@ Core and Builtins
  Library
  -------
  
+- Issue #16248: Disable code execution from the user's home directory by
+  tkinter when the -E flag is passed to Python.  Patch by Zachary Ware.
+
  - Issue #16628: Fix a memory leak in ctypes.resize().
  
  - Issue #13614: Fix setup.py register failure with invalid rst in description.
author	Antoine Pitrou <solipsis@pitrou.net>
	Sun, 9 Dec 2012 13:46:18 +0000 (14:46 +0100)
committer	Antoine Pitrou <solipsis@pitrou.net>
	Sun, 9 Dec 2012 13:46:18 +0000 (14:46 +0100)
Lib/tkinter/__init__.py		patch \| blob \| history
Misc/NEWS		patch \| blob \| history