Issue #16248: Disable code execution from the user's home directory by tkinter when the -E flag is passed to Python.

pitrou · pitrou · commit 0ee20ebbff96 · 2012-12-09T14:46:18.000+01:00
Patch by Zachary Ware.
diff --git a/Lib/tkinter/__init__.py b/Lib/tkinter/__init__.py
@@ -1632,7 +1632,9 @@ def __init__(self, screenName=None, baseName=None, className='Tk',
         self.tk = _tkinter.create(screenName, baseName, className, interactive, wantobjects, useTk, sync, use)
         if useTk:
             self._loadtk()
-        self.readprofile(baseName, className)
+        if not sys.flags.ignore_environment:
+            # Issue #16248: Honor the -E flag to avoid code injection.
+            self.readprofile(baseName, className)
     def loadtk(self):
         if not self._tkloaded:
             self.tk.loadtk()
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #16248: Disable code execution from the user's home directory by tkinter
+  when the -E flag is passed to Python.
+
 
 What's New in Python 3.1.5?
 ===========================
