webbrowser module + urls ending in .py = a security hole?
Fuzzyman
fuzzyman at gmail.com
Thu Feb 2 04:39:53 EST 2006
Blair P. Houghton wrote:
> >Would it be sufficient in your case merely to allow only .html files to
> >be loaded? Or URLs without .extensions? Or even just permit only the
> >http: protocol?
>
> Personally, I'm just noodling around with this right now.
> So "my case" is the abstract case. I think the solution if
> one was needed would be to look at how something like
> Firefox implements script detection and warns about it,
> so all forms of scripts would be rejected.
>
> I did try loading the .py file over a remote connection, and
> it does seem to work as expected that way; i.e., I get a
> browser window with the text of the script. So the
The server will send it with a Content-Type set to text/plain - so the
browser knows to treat it as text.
> webbrowser.py module's handling of http:// accesses
> is definitely different from its handling of file:// accesses.
>
It's worth working out if this is down to webbrowser.py *or* Firefox.
Try launching firefox with the path to the py file and seeing what it
does.
If it is webbrowser.py then it is worth fixing.
All the best,
Fuzzyman
http://www.voidspace.org.uk/python/index.shtml
> --Blair
More information about the Python-list
mailing list