webbrowser module + urls ending in .py = a security hole?
Blair P. Houghton
blair.houghton at gmail.com
Mon Jan 30 15:09:22 EST 2006
I'm going to try it out on a remote server later today.
I did use this script to fetch remote HTML
(url='http://www.python.org') before I tired the remote file, and it
opened the webpage in Firefox.
I may also try to poke around in webbrowser.py, if possible, to see if
I can see whether it's selecting the executable for the given
extension, or passing it off to the OS. I would think, since Python is
not /supposed/ to have client-side scripting powers, that even when the
script is on the client this is bad behavior.
Just don't have the bandwidth, just now.
Anyone got a good regex that will always detect an extension that might
be considered a script? Or reject all but known non-scripted
extensions? Because wrapping the webbrowser.open() call would be the
workaround, and upgrading webbrowser.py would be a solution.
--Blair
More information about the Python-list
mailing list