[New-bugs-announce] [issue36021] [Security][Windows] webbrowser: WindowsDefault uses os.startfile() and so can be abused to run arbitrary commands
STINNER Victor
report at bugs.python.org
Mon Feb 18 06:00:53 EST 2019
New submission from STINNER Victor <vstinner at redhat.com>:
The webbrowser module uses WindowsDefault which calls os.startfile() and so can be abused to run arbitrary commands.
WindowsDefault should do log a warning or raise an error if the URL is unsafe. I'm not sure how to build a list of safe URL schemes. At least, we can explicitly exclude "C:\WINDOWS\system32\calc.exe" which doesn't contain "://".
The union of all "uses_*" constants of urllib.parser give me this sorted list of URL schemes:
['', 'file', 'ftp', 'git', 'git+ssh', 'gopher', 'hdl', 'http', 'https', 'imap', 'mailto', 'mms', 'news', 'nfs', 'nntp', 'prospero', 'rsync', 'rtsp', 'rtspu', 'sftp', 'shttp', 'sip', 'sips', 'snews', 'svn', 'svn+ssh', 'tel', 'telnet', 'wais', 'ws', 'wss']
Would it make sense to ensure that urllib.parser can parse an email to check if the URL looks valid?
----------
components: Library (Lib)
messages: 335805
nosy: vstinner
priority: normal
severity: normal
status: open
title: [Security][Windows] webbrowser: WindowsDefault uses os.startfile() and so can be abused to run arbitrary commands
type: security
versions: Python 2.7, Python 3.7, Python 3.8
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36021>
_______________________________________
More information about the New-bugs-announce
mailing list