webbrowser module + urls ending in .py = a security hole?

Blair P. Houghton blair.houghton at gmail.com
Sun Jan 29 22:59:17 EST 2006

I'm just learning Python, so bear with.

I was messing around with the webbrowser module and decided it was
pretty cool to have the browser open a URL from within a python script,
so I wrote a short script to open a local file the same way, using the
script file as an example target:

# browser-test.py
import webbrowser
import sys
pathname = sys.argv[0]
protocol = 'file://'
url = protocol + pathname

And what I got, instead of a browser window with the text of my script,
was a sequence of DOS windows popping up and disappearing.

Apparently that's because either Windows (XP SP2) or the browser
(Firefox) was interpreting the .py file extension and running Python to
execute it.

So is this a known (mis)feature, and will it happen if I chance to use
webbrowser.open() on a remote .py file?

Because if so, it's a king-hell security hole.


More information about the Python-list mailing list