webbrowser module + urls ending in .py = a security hole?

Peter Hansen peter at engcorp.com
Mon Jan 30 16:32:01 EST 2006

Peter Hansen wrote:
> I'd agree.  I suspect this ought to be reported as a security flaw, 
> though it would be nice to know what the fix should be before doing so. 
> Anyone know a more suitable approach on Windows than just passing 
> things off to startfile()?

It appears the correct approach might be something along the lines of 
reading the registry to find what application is configured for the 
"HTTP" protocol (HKCR->HTTP->shell->open->command) and run that, passing 
it the URL.  I think that would do what most people expect, even when 
the URL actually passed specifies the "file" protocol and not "http".



More information about the Python-list mailing list