webbrowser module + urls ending in .py = a security hole?
Blair P. Houghton
blair.houghton at gmail.com
Thu Feb 2 11:37:12 EST 2006
Peter Hansen wrote:
> It appears the correct approach might be something along the lines of
> reading the registry to find what application is configured for the
> "HTTP" protocol (HKCR->HTTP->shell->open->command) and run that, passing
> it the URL. I think that would do what most people expect, even when
> the URL actually passed specifies the "file" protocol and not "http".
Yeah...but here's where my mind splits. I like security, but I'm not
sure I like the idea of breaking URL syntax and treating "file" as
"http" when it's explicitly specified...although in the context of a
URL, that might be the user's intended use-case... so do we go with "do
the secure, probably expected thing" or "do the thing Tim Berners-Lee
designed it to do"?
Since the behavior is "correct" in the "http://" case (the text is
displayed in the browser), and any "file://" access has physical and
network security built into it by nature of never accessing outside the
user's already-accessible file domain, maybe it is "correct" that the
"file://" access be treated as though it was issued from a shell
command or file-explorer window. Which makes it no security hole at
all, it would seem...
--Blair
More information about the Python-list
mailing list