Issue Description:

matplotlibrc files are autoloaded on import matplotlib. The first candidate that matplotlib_fname yields is the bare filename 'matplotlibrc', which resolves to the current working directory. If an attacker can place a matplotlibrc file in a directory where a user runs Python (e.g., a cloned git repository, a shared project directory, a downloads folder), all rcParams in that file are applied automatically when import matplotlib or import matplotlib.pyplot executes.

Several of the rcparams can set up common calls such as figure creation (#31293) or latex text rendering (#31249) such that they can execute arbitrary code from the matplotlibrc file as a side-effect. This presents a potential security risk.

The two linked threads above talk a bit about how an attacker which can place a file on the PATH, could alternatively just place an executable which wraps some module and silently imports with arbitrary import-time side effects, and so this is a security boundary that matplotlib should not try to include. My take is that this sort of script would appear as code and be likely flagged in a manual or automatic security audit, whereas a matplotlibrc file is not directly executable and appears as data. Someone who assumes the common principle of separating data and code would not think that this file might be risky.

This is not a critical vulnerability, but represents an opportunity for security hardening.

How to Solve:
Stop auto-loading custom matplotlibrc files. Allow the user to opt-in to this via a function or setting the MATPLOTLIBRC environment variable.

Note that this may require some discussion to figure out the best solution, and I do not recommend this as a first-time contributor issue.