webbrowser module + urls ending in .py = a security hole?
Blair P. Houghton
blair.houghton at gmail.com
Wed Feb 1 23:56:33 EST 2006
>Would it be sufficient in your case merely to allow only .html files to
>be loaded? Or URLs without .extensions? Or even just permit only the
>http: protocol?
Personally, I'm just noodling around with this right now.
So "my case" is the abstract case. I think the solution if
one was needed would be to look at how something like
Firefox implements script detection and warns about it,
so all forms of scripts would be rejected.
I did try loading the .py file over a remote connection, and
it does seem to work as expected that way; i.e., I get a
browser window with the text of the script. So the
webbrowser.py module's handling of http:// accesses
is definitely different from its handling of file:// accesses.
--Blair
More information about the Python-list
mailing list