STINNER Victor <vstin...@redhat.com> added the comment:
Parsing an URL and deciding if an URL is "safe" or not is hard. For example, PR 11931 denies "file://" URLs, but I don't see the issue with opening such URL: file:///home/vstinner/prog/GIT/github.io/output/index.html (local path to a HTML file) The problem here is that os.startfile() can be abused to run arbitrary command. Another option would be to behave as Unix classes: run directly as specific browser like Chrome or Firefox. Maybe the registry can help? I found interesting keys: "HKEY_CURRENT_USER\Software\Classes\BSURL\shell\open\command" "HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\Progid" "HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice\Progid" "HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice\Progid" "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\Progid" "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice\Progid" "HKEY_CURRENT_USER\Software\Clients\StartmenuInternet\" ---------- components: +Windows nosy: +paul.moore, steve.dower, tim.golden, zach.ware _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue36021> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
