webbrowser module + urls ending in .py = a security hole?
Blair P. Houghton
blair.houghton at gmail.com
Sun Jan 29 22:59:17 EST 2006
I'm just learning Python, so bear with.
I was messing around with the webbrowser module and decided it was
pretty cool to have the browser open a URL from within a python script,
so I wrote a short script to open a local file the same way, using the
script file as an example target:
pathname = sys.argv
protocol = 'file://'
url = protocol + pathname
And what I got, instead of a browser window with the text of my script,
was a sequence of DOS windows popping up and disappearing.
Apparently that's because either Windows (XP SP2) or the browser
(Firefox) was interpreting the .py file extension and running Python to
So is this a known (mis)feature, and will it happen if I chance to use
webbrowser.open() on a remote .py file?
Because if so, it's a king-hell security hole.
More information about the Python-list