webbrowser module + urls ending in .py = a security hole?
Fuzzyman
fuzzyman at gmail.com
Thu Feb 2 09:03:32 EST 2006
Peter Hansen wrote:
> Fuzzyman wrote:
> > Blair P. Houghton wrote:
> >>webbrowser.py module's handling of http:// accesses
> >>is definitely different from its handling of file:// accesses.
> >
> > It's worth working out if this is down to webbrowser.py *or* Firefox.
> > Try launching firefox with the path to the py file and seeing what it
> > does.
> >
> > If it is webbrowser.py then it is worth fixing.
>
> I'm not sure if my posts got through a couple of days ago, but I thought
> I already answered this. webbrowser.py calls os.startfile(), which just
> passes things off to the OS. If it's an http:// call, the registry
> entries point to Firefox (with a --url option, as I recall) but
> os.startfile() obviously doesn't always just load a web browser, so if
> the file happens to be a local .py file, it runs it.
>
> I believe you'll get identical results if you pass the same url as you
> are passing webbrowser.py to the START command:
>
> start "" "file:///c:/svn/ccvi86/main.py"
>
> On my machine that runs the file.
>
> start "" "http://www.engcorp.com/main/files/ixcore.py"
>
> And that one displays the file in Firefox.
>
> So the bug, if it can be called that, is that on Windows webbrowser.py
> doesn't do real work, but just passes responsibility to an underlying
> function which works as expected only for http: protocol stuff.
>
I can't see your posts on google, but that's what I suggested might be
the case nearer the start of this thread. ;-)
Hmmm.... if it's not a bug, it at least needs documenting.
All the best,
Fuzzyman
http://www.voidspace.org.uk/python/index.shtml
> -Peter
More information about the Python-list
mailing list