webbrowser module + urls ending in .py = a security hole?
Peter Hansen
peter at engcorp.com
Mon Jan 30 06:53:13 EST 2006
Blair P. Houghton wrote:
> I was messing around with the webbrowser module and decided it was
> pretty cool to have the browser open a URL from within a python script,
> so I wrote a short script to open a local file the same way, using the
> script file as an example target:
>
> # browser-test.py
> import webbrowser
> import sys
> pathname = sys.argv[0]
> protocol = 'file://'
> url = protocol + pathname
> webbrowser.open(url)
>
> And what I got, instead of a browser window with the text of my script,
> was a sequence of DOS windows popping up and disappearing.
>
> Apparently that's because either Windows (XP SP2) or the browser
> (Firefox) was interpreting the .py file extension and running Python to
> execute it.
>
> So is this a known (mis)feature, and will it happen if I chance to use
> webbrowser.open() on a remote .py file?
What happens when you load a remote .py file using the web browser
directly? With Firefox on my machine, it just displays the file, as
expected, whether loaded via webbrowser.open() or not. Make sure you're
testing with the same browser that webbrowser loads (try a regular HTML
file first if you're not sure which that is).
> Because if so, it's a king-hell security hole.
It might probably worth a warning in the docs, but it's no larger a
security hole than the browser itself already has. If your browser is
configured to load files of a given type directly into a particular
application without first checking with you if you want it to do so,
you're potentially screwed already.
But is Firefox really your default browser? The webbrowser module could
be loading Internet Explorer on your machine, and we all know just how
safe *that* is...
-Peter
More information about the Python-list
mailing list