[issue32993] urllib and webbrowser.open() can open w/ file: protocol

2018-03-11 Thread Ned Deily
Change by Ned Deily : -- stage: -> resolved status: pending -> closed type: security -> ___ Python tracker ___

[issue32993] urllib and webbrowser.open() can open w/ file: protocol

2018-03-11 Thread Martin Panter
Martin Panter added the comment: Hi Yao, I tend to agree with Ned. The support for “file:” URLs is by design. I don’t see any security problems. I suggest to close this. In Issue 11662, it was decided that a web server redirecting to a “file:” URL was a security

[issue32993] urllib and webbrowser.open() can open w/ file: protocol

2018-03-10 Thread yao zhihua
yao zhihua added the comment: Here about webbrowser vulnerability. https://bugs.python.org/issue32367 You could execute command with file protocols in python 2.7.10. poc : import webbrowser, os filename = "/bin/ls" webbrowser.open(os.path.realpath(filename)) If python

[issue32993] urllib and webbrowser.open() can open w/ file: protocol

2018-03-10 Thread yao zhihua
yao zhihua added the comment: Borrow what others have said from Issue11662. The Python urllib and urllib2 modules are typically used to fetch web pages but by default also contains handlers for ftp:// and file:// URL schemes. Now unfortunately it

[issue32993] urllib and webbrowser.open() can open w/ file: protocol

2018-03-09 Thread Ned Deily
Ned Deily added the comment: This is now marked as a security issue but I do not understand what the problem is. urllib / urllib2 are supposed to be able to open file:// style URLs, that was not the point of Issue11662.

[issue32993] urllib and webbrowser.open() can open w/ file: protocol

2018-03-05 Thread Brett Cannon
Change by Brett Cannon : -- keywords: +security_issue title: issue11662 Incomplete fix -> urllib and webbrowser.open() can open w/ file: protocol ___ Python tracker