webbrowser module + urls ending in .py = a security hole?

Peter Hansen peter at engcorp.com
Mon Jan 30 16:00:25 EST 2006

Blair P. Houghton wrote:
> I'm going to try it out on a remote server later today.

Don't bother.  I've confirmed the behaviour you saw, and that it is not 
what I'd expect either.  My Firefox certainly isn't configured to run 
.py scripts even when invoked with the "file:" protocol, so webbrowser 
is almost certainly Doing Bad Things on Windows.

The relevant code from webbrowser.py shows this, confirming FuzzyMan's 

class WindowsDefault:
     def open(self, url, new=0, autoraise=1):

     def open_new(self, url):

> I may also try to poke around in webbrowser.py, if possible, to see if
> I can see whether it's selecting the executable for the given
> extension, or passing it off to the OS.  I would think, since Python is
> not /supposed/ to have client-side scripting powers, that even when the
> script is on the client this is bad behavior.

I'd agree.  I suspect this ought to be reported as a security flaw, 
though it would be nice to know what the fix should be before doing so. 
  Anyone know a more suitable approach on Windows than just passing 
things off to startfile()?

> Just don't have the bandwidth, just now.
> Anyone got a good regex that will always detect an extension that might
> be considered a script? Or reject all but known non-scripted
> extensions? 

Would it be sufficient in your case merely to allow only .html files to 
be loaded?  Or URLs without .extensions?  Or even just permit only the 
http: protocol?


More information about the Python-list mailing list