[Python-bugs-list] [ python-Bugs-500401 ] Security fix: webbrowser.py

noreply@sourceforge.net noreply@sourceforge.net
Mon, 07 Jan 2002 06:28:35 -0800


Bugs item #500401, was opened at 2002-01-07 06:28
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=500401&group_id=5470

Category: Python Library
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Gregor Hoffleit (flight)
Assigned to: Nobody/Anonymous (nobody)
Summary: Security fix: webbrowser.py

Initial Comment:
Chris Lawrence <lawrencc@debian.org> reports a security
hole in webbrowser.py (cf.
http://bugs.debian.org/127507 for the full report):

webbrowser.py doesn't escape the URL when calling the
browser through os.system(). This makes it possible for
an attacker to execute arbitrary code in /bin/sh.

Attached is a patch by Chris that closes the holes.

    Gregor


----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=500401&group_id=5470