webbrowser module + urls ending in .py = a security hole?
Peter Hansen
peter at engcorp.com
Thu Feb 2 08:40:15 EST 2006
Fuzzyman wrote:
> Blair P. Houghton wrote:
>>webbrowser.py module's handling of http:// accesses
>>is definitely different from its handling of file:// accesses.
>
> It's worth working out if this is down to webbrowser.py *or* Firefox.
> Try launching firefox with the path to the py file and seeing what it
> does.
>
> If it is webbrowser.py then it is worth fixing.
I'm not sure if my posts got through a couple of days ago, but I thought
I already answered this. webbrowser.py calls os.startfile(), which just
passes things off to the OS. If it's an http:// call, the registry
entries point to Firefox (with a --url option, as I recall) but
os.startfile() obviously doesn't always just load a web browser, so if
the file happens to be a local .py file, it runs it.
I believe you'll get identical results if you pass the same url as you
are passing webbrowser.py to the START command:
start "" "file:///c:/svn/ccvi86/main.py"
On my machine that runs the file.
start "" "http://www.engcorp.com/main/files/ixcore.py"
And that one displays the file in Firefox.
So the bug, if it can be called that, is that on Windows webbrowser.py
doesn't do real work, but just passes responsibility to an underlying
function which works as expected only for http: protocol stuff.
-Peter
More information about the Python-list
mailing list