[issue36021] [Security][Windows] webbrowser: WindowsDefault uses os.startfile() and so can be abused to run arbitrary commands
STINNER Victor
report at bugs.python.org
Wed Feb 20 10:02:06 EST 2019
STINNER Victor <vstinner at redhat.com> added the comment:
Maybe webbrowser must be changed to become *very strict*. For example, raise an error if the URL doesn't start with "http://" or "https://". But add an option to opt-in for "unsafe" URLs with a warning in the doc to explain the risk on Windows?
Another option is to add an optional callback to validate the URL. As the 'verify' parameter of logging.config.listen():
https://docs.python.org/dev/library/logging.config.html#logging.config.listen
"pydoc -b" runs a local HTTP server but it uses regular "http://" URLs, it doesn't use file://.
Maybe only Windows should be modified, Unix is safe, no?
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36021>
_______________________________________
More information about the Python-bugs-list
mailing list