On Mon, 30 Jan 2006 16:00:25 -0500, Peter Hansen <[EMAIL PROTECTED]> wrote:
>Blair P. Houghton wrote:
>> I'm going to try it out on a remote server later today.
>
>Don't bother. I've confirmed the behaviour you saw, and that it is not
>what I'd expect either. My Firefox certainly isn't configured to run
>.py scripts even when invoked with the "file:" protocol, so webbrowser
>is almost certainly Doing Bad Things on Windows.
>
>The relevant code from webbrowser.py shows this, confirming FuzzyMan's
>suspicions:
>
>class WindowsDefault:
> def open(self, url, new=0, autoraise=1):
> os.startfile(url)
>
> def open_new(self, url):
> self.open(url)
>
>> I may also try to poke around in webbrowser.py, if possible, to see if
>> I can see whether it's selecting the executable for the given
>> extension, or passing it off to the OS. I would think, since Python is
>> not /supposed/ to have client-side scripting powers, that even when the
>> script is on the client this is bad behavior.
>
>I'd agree. I suspect this ought to be reported as a security flaw,
>though it would be nice to know what the fix should be before doing so.
> Anyone know a more suitable approach on Windows than just passing
>things off to startfile()?
>
>> Just don't have the bandwidth, just now.
>>
>> Anyone got a good regex that will always detect an extension that might
>> be considered a script? Or reject all but known non-scripted
>> extensions?
>
>Would it be sufficient in your case merely to allow only .html files to
>be loaded? Or URLs without .extensions? Or even just permit only the
>http: protocol?
>
How about finding the browser via .html association and then letting that
handle the url? E.g., slong the lines of
>>> import os
>>> ft = os.popen('assoc .html').read().split('=',1)[1].strip()
>>> ft
'MozillaHTML'
>>> os.popen('ftype %s'%ft).read().split('=',1)[1].strip()
'D:\\MOZ\\MOZILL~1\\MOZILL~1.EXE -url "%1"'
Regards,
Bengt Richter
--
http://mail.python.org/mailman/listinfo/python-list
