yao zhihua <hackyzh...@gmail.com> added the comment: Here about webbrowser vulnerability. https://bugs.python.org/issue32367
You could execute command with file protocols in python 2.7.10. poc : import webbrowser, os filename = "/bin/ls" webbrowser.open(os.path.realpath(filename)) If python has fixed this vulnerability,why can I access file:///etc/passwd? But I can't access /etc/shadow.Is this it fixed incomplete? ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32993> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com