[issue36021] [Security][Windows] webbrowser: WindowsDefault uses os.startfile() and so can be abused to run arbitrary commands
STINNER Victor
report at bugs.python.org
Tue Feb 19 10:50:06 EST 2019
STINNER Victor <vstinner at redhat.com> added the comment:
Parsing an URL and deciding if an URL is "safe" or not is hard.
For example, PR 11931 denies "file://" URLs, but I don't see the issue with opening such URL:
file:///home/vstinner/prog/GIT/github.io/output/index.html
(local path to a HTML file)
The problem here is that os.startfile() can be abused to run arbitrary command.
Another option would be to behave as Unix classes: run directly as specific browser like Chrome or Firefox.
Maybe the registry can help? I found interesting keys:
"HKEY_CURRENT_USER\Software\Classes\BSURL\shell\open\command"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\Progid"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice\Progid"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice\Progid"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\Progid"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice\Progid"
"HKEY_CURRENT_USER\Software\Clients\StartmenuInternet\"
----------
components: +Windows
nosy: +paul.moore, steve.dower, tim.golden, zach.ware
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36021>
_______________________________________
More information about the Python-bugs-list
mailing list