New submission from STINNER Victor <vstin...@redhat.com>:
The webbrowser module uses WindowsDefault which calls os.startfile() and so can be abused to run arbitrary commands. WindowsDefault should do log a warning or raise an error if the URL is unsafe. I'm not sure how to build a list of safe URL schemes. At least, we can explicitly exclude "C:\WINDOWS\system32\calc.exe" which doesn't contain "://". The union of all "uses_*" constants of urllib.parser give me this sorted list of URL schemes: ['', 'file', 'ftp', 'git', 'git+ssh', 'gopher', 'hdl', 'http', 'https', 'imap', 'mailto', 'mms', 'news', 'nfs', 'nntp', 'prospero', 'rsync', 'rtsp', 'rtspu', 'sftp', 'shttp', 'sip', 'sips', 'snews', 'svn', 'svn+ssh', 'tel', 'telnet', 'wais', 'ws', 'wss'] Would it make sense to ensure that urllib.parser can parse an email to check if the URL looks valid? ---------- components: Library (Lib) messages: 335805 nosy: vstinner priority: normal severity: normal status: open title: [Security][Windows] webbrowser: WindowsDefault uses os.startfile() and so can be abused to run arbitrary commands type: security versions: Python 2.7, Python 3.7, Python 3.8 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue36021> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
