webbrowser module + urls ending in .py = a security hole?

Blair P. Houghton blair.houghton at gmail.com
Mon Jan 30 15:09:22 EST 2006

I'm going to try it out on a remote server later today.

I did use this script to fetch remote HTML
(url='http://www.python.org') before I tired the remote file, and it
opened the webpage in Firefox.

I may also try to poke around in webbrowser.py, if possible, to see if
I can see whether it's selecting the executable for the given
extension, or passing it off to the OS.  I would think, since Python is
not /supposed/ to have client-side scripting powers, that even when the
script is on the client this is bad behavior.

Just don't have the bandwidth, just now.

Anyone got a good regex that will always detect an extension that might
be considered a script? Or reject all but known non-scripted
extensions? Because wrapping the webbrowser.open() call would be the
workaround, and upgrading webbrowser.py would be a solution.


More information about the Python-list mailing list