[issue36021] [Security][Windows] webbrowser: WindowsDefault uses os.startfile() and so can be abused to run arbitrary commands
STINNER Victor
report at bugs.python.org
Wed Feb 20 09:48:53 EST 2019
STINNER Victor <vstinner at redhat.com> added the comment:
> Sure we don't want to execute these kinds of scripts but we could mix with GetBinaryTypeW and add a check on the extensions.
Windows has a convenient feature: if you ask to run "program", Windows tries to run "program.exe", "program.bat", etc.
Example:
---
C:\vstinner>del hello.txt
C:\vstinner>type hello.bat
echo "Hello from hello.bat" > /vstinner/hello.txt
C:\vstinner>\vstinner\python\master\python
Python 3.8.0a0 (heads/master:8f59ee01be, Jan 25 2019, 01:16:59) [MSC v.1915 64 bit (AMD64)] on win32
>>> import os
>>> os.startfile(r"c:\vstinner\hello")
>>> with open(r"c:\vstinner\hello.txt") as fp: print(fp.read())
...
"Hello from hello.bat"
---
os.startfile(r"c:\vstinner\hello") <= "hello" filename has no extension
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36021>
_______________________________________
More information about the Python-bugs-list
mailing list