webbrowser module + urls ending in .py = a security hole?
Peter Hansen
peter at engcorp.com
Mon Jan 30 16:00:25 EST 2006
Blair P. Houghton wrote:
> I'm going to try it out on a remote server later today.
Don't bother. I've confirmed the behaviour you saw, and that it is not
what I'd expect either. My Firefox certainly isn't configured to run
.py scripts even when invoked with the "file:" protocol, so webbrowser
is almost certainly Doing Bad Things on Windows.
The relevant code from webbrowser.py shows this, confirming FuzzyMan's
suspicions:
class WindowsDefault:
def open(self, url, new=0, autoraise=1):
os.startfile(url)
def open_new(self, url):
self.open(url)
> I may also try to poke around in webbrowser.py, if possible, to see if
> I can see whether it's selecting the executable for the given
> extension, or passing it off to the OS. I would think, since Python is
> not /supposed/ to have client-side scripting powers, that even when the
> script is on the client this is bad behavior.
I'd agree. I suspect this ought to be reported as a security flaw,
though it would be nice to know what the fix should be before doing so.
Anyone know a more suitable approach on Windows than just passing
things off to startfile()?
> Just don't have the bandwidth, just now.
>
> Anyone got a good regex that will always detect an extension that might
> be considered a script? Or reject all but known non-scripted
> extensions?
Would it be sufficient in your case merely to allow only .html files to
be loaded? Or URLs without .extensions? Or even just permit only the
http: protocol?
-Peter
More information about the Python-list
mailing list