webbrowser module + urls ending in .py = a security hole?
Peter Hansen
peter at engcorp.com
Mon Jan 30 18:15:15 EST 2006
Bengt Richter wrote:
> How about finding the browser via .html association and then letting that
> handle the url? E.g., slong the lines of
>
> >>> import os
> >>> ft = os.popen('assoc .html').read().split('=',1)[1].strip()
> >>> ft
> 'MozillaHTML'
> >>> os.popen('ftype %s'%ft).read().split('=',1)[1].strip()
> 'D:\\MOZ\\MOZILL~1\\MOZILL~1.EXE -url "%1"'
I'm not certain that's safe in all cases. On my machine it does map to
Firefox, but there's also a registry class called "htmlfile" which I
think is used in some circumstances (not sure what they might be... this
crap is all black magic as far as I'm concerned), and on my machine it
is still pointing here:
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
And that's even with Firefox set up as both the default browser and as
the browser to launch from the Start menu (which are not the same thing,
as I sadly learned while coming up with the "http" approach I mentioned
in another post).
-Peter
More information about the Python-list
mailing list