webbrowser module + urls ending in .py = a security hole?

Bengt Richter bokr at oz.net
Mon Jan 30 17:00:13 EST 2006 

On Mon, 30 Jan 2006 16:00:25 -0500, Peter Hansen <peter at engcorp.com> wrote:

>Blair P. Houghton wrote:
>> I'm going to try it out on a remote server later today.
>
>Don't bother.  I've confirmed the behaviour you saw, and that it is not 
>what I'd expect either.  My Firefox certainly isn't configured to run 
>.py scripts even when invoked with the "file:" protocol, so webbrowser 
>is almost certainly Doing Bad Things on Windows.
>
>The relevant code from webbrowser.py shows this, confirming FuzzyMan's 
>suspicions:
>
>class WindowsDefault:
>     def open(self, url, new=0, autoraise=1):
>         os.startfile(url)
>
>     def open_new(self, url):
>         self.open(url)
>
>> I may also try to poke around in webbrowser.py, if possible, to see if
>> I can see whether it's selecting the executable for the given
>> extension, or passing it off to the OS.  I would think, since Python is
>> not /supposed/ to have client-side scripting powers, that even when the
>> script is on the client this is bad behavior.
>
>I'd agree.  I suspect this ought to be reported as a security flaw, 
>though it would be nice to know what the fix should be before doing so. 
>  Anyone know a more suitable approach on Windows than just passing 
>things off to startfile()?
>
>> Just don't have the bandwidth, just now.
>> 
>> Anyone got a good regex that will always detect an extension that might
>> be considered a script? Or reject all but known non-scripted
>> extensions? 
>
>Would it be sufficient in your case merely to allow only .html files to 
>be loaded?  Or URLs without .extensions?  Or even just permit only the 
>http: protocol?
>
How about finding the browser via .html association and then letting that
handle the url? E.g., slong the lines of

 >>> import os
 >>> ft = os.popen('assoc .html').read().split('=',1)[1].strip()
 >>> ft
 'MozillaHTML'
 >>> os.popen('ftype %s'%ft).read().split('=',1)[1].strip()
 'D:\\MOZ\\MOZILL~1\\MOZILL~1.EXE -url "%1"'


Regards,
Bengt Richter

More information about the Python-list mailing list