[issue36021] [Security][Windows] webbrowser: WindowsDefault uses os.startfile() and so can be abused to run arbitrary commands
STINNER Victor
report at bugs.python.org
Wed Feb 20 05:51:39 EST 2019
STINNER Victor <vstinner at redhat.com> added the comment:
> >>> os.startfile('file:///C:/Temp/test/test.exe')
Oh, startfile() also runs a program for an URL using file:// scheme? If yes, it becomes even more complex to fix this file :-/
How do you decide if an URL start with file:// is safe?
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36021>
_______________________________________
More information about the Python-bugs-list
mailing list