webbrowser module + urls ending in .py = a security hole?
peter at engcorp.com
Mon Jan 30 16:32:01 EST 2006
Peter Hansen wrote:
> I'd agree. I suspect this ought to be reported as a security flaw,
> though it would be nice to know what the fix should be before doing so.
> Anyone know a more suitable approach on Windows than just passing
> things off to startfile()?
It appears the correct approach might be something along the lines of
reading the registry to find what application is configured for the
"HTTP" protocol (HKCR->HTTP->shell->open->command) and run that, passing
it the URL. I think that would do what most people expect, even when
the URL actually passed specifies the "file" protocol and not "http".
More information about the Python-list