[issue36021] [Security][Windows] webbrowser: WindowsDefault uses os.startfile() and so can be abused to run arbitrary commands
Stéphane Wirtel
report at bugs.python.org
Tue Feb 19 07:33:09 EST 2019
Stéphane Wirtel <stephane at wirtel.be> added the comment:
@vstinner, all the tests pass on AppVeyor and Travis,
I check if the resource is local (file://) or not, and if the given path is a file (c:\\windows\\system32\\calc.exe), I check if this one is an executable.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36021>
_______________________________________
More information about the Python-bugs-list
mailing list