[Python-checkins] CVS: python/dist/src/Lib webbrowser.py,1.18.2.3,1.18.2.4
Fred L. Drake
fdrake@users.sourceforge.net
Mon, 07 Jan 2002 07:30:23 -0800
Update of /cvsroot/python/python/dist/src/Lib
In directory usw-pr-cvs1:/tmp/cvs-serv24053/Lib
Modified Files:
Tag: release21-maint
webbrowser.py
Log Message:
Fix webbrowser.py security bug: be more careful about what we pass to
os.system().
This closes Python bug #500401, Debian bug #127507.
Index: webbrowser.py
===================================================================
RCS file: /cvsroot/python/python/dist/src/Lib/webbrowser.py,v
retrieving revision 1.18.2.3
retrieving revision 1.18.2.4
diff -C2 -d -r1.18.2.3 -r1.18.2.4
*** webbrowser.py 2001/12/05 06:42:36 1.18.2.3
--- webbrowser.py 2002/01/07 15:30:21 1.18.2.4
***************
*** 99,102 ****
--- 99,103 ----
def open(self, url, new=0, autoraise=1):
+ assert "'" not in url
command = "%s %s" % (self.name, self.args)
os.system(command % url)
***************
*** 149,153 ****
def _remote(self, action):
! cmd = "kfmclient %s >/dev/null 2>&1" % action
rc = os.system(cmd)
if rc:
--- 150,155 ----
def _remote(self, action):
! assert "'" not in action
! cmd = "kfmclient '%s' >/dev/null 2>&1" % action
rc = os.system(cmd)
if rc:
***************
*** 164,168 ****
# XXX Currently I know no way to prevent KFM from
# opening a new win.
! self._remote("openURL %s" % url)
open_new = open
--- 166,170 ----
# XXX Currently I know no way to prevent KFM from
# opening a new win.
! self._remote("openURL '%s'" % url)
open_new = open
***************
*** 239,262 ****
# The Links browser <http://artax.karlin.mff.cuni.cz/~mikulas/links/>
if _iscommand("links"):
! register("links", None, GenericBrowser("links %s"))
# The Lynx browser <http://lynx.browser.org/>
if _iscommand("lynx"):
! register("lynx", None, GenericBrowser("lynx %s"))
# The w3m browser <http://ei5nazha.yz.yamagata-u.ac.jp/~aito/w3m/eng/>
if _iscommand("w3m"):
! register("w3m", None, GenericBrowser("w3m %s"))
# X browsers have more in the way of options
if os.environ.get("DISPLAY"):
# First, the Netscape series
! if _iscommand("netscape") or _iscommand("mozilla"):
! if _iscommand("mozilla"):
! register("mozilla", None, Netscape("mozilla"))
! if _iscommand("netscape"):
! register("netscape", None, Netscape("netscape"))
# Next, Mosaic -- old but still in use.
if _iscommand("mosaic"):
! register("mosaic", None, GenericBrowser("mosaic %s >/dev/null &"))
# Konqueror/kfm, the KDE browser.
--- 241,264 ----
# The Links browser <http://artax.karlin.mff.cuni.cz/~mikulas/links/>
if _iscommand("links"):
! register("links", None, GenericBrowser("links '%s'"))
# The Lynx browser <http://lynx.browser.org/>
if _iscommand("lynx"):
! register("lynx", None, GenericBrowser("lynx '%s'"))
# The w3m browser <http://ei5nazha.yz.yamagata-u.ac.jp/~aito/w3m/eng/>
if _iscommand("w3m"):
! register("w3m", None, GenericBrowser("w3m '%s'"))
# X browsers have more in the way of options
if os.environ.get("DISPLAY"):
# First, the Netscape series
! if _iscommand("mozilla"):
! register("mozilla", None, Netscape("mozilla"))
! if _iscommand("netscape"):
! register("netscape", None, Netscape("netscape"))
# Next, Mosaic -- old but still in use.
if _iscommand("mosaic"):
! register("mosaic", None, GenericBrowser(
! "mosaic '%s' >/dev/null &"))
# Konqueror/kfm, the KDE browser.
***************
*** 310,314 ****
if not _browsers.has_key(cmd.lower()):
if _iscommand(cmd.lower()):
! register(cmd.lower(), None, GenericBrowser("%s %%s" % cmd.lower()))
_tryorder = filter(lambda x: _browsers.has_key(x.lower())
--- 312,317 ----
if not _browsers.has_key(cmd.lower()):
if _iscommand(cmd.lower()):
! register(cmd.lower(), None, GenericBrowser(
! "%s '%%s'" % cmd.lower()))
_tryorder = filter(lambda x: _browsers.has_key(x.lower())