Issue 32367: [Security] CVE-2017-17522: webbrowser.py in Python does not validate strings

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/76548

classification

Title:	[Security] CVE-2017-17522: webbrowser.py in Python does not validate strings
Type:	security	Stage:	resolved
Components:	Library (Lib)	Versions:	Python 3.7, Python 3.6, Python 3.4, Python 3.5, Python 2.7

process

Status:	closed	Resolution:	not a bug
Dependencies:		Superseder:
Assigned To:		Nosy List:	cstratak, martin.panter, ned.deily, vstinner
Priority:	high	Keywords:

Created on 2017-12-18 16:29 by vstinner, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Pull Requests
URL	Status	Linked	Edit
PR 8802	open	enedil, 2018-08-17 23:45

Messages (4)
msg308572 - (view)	Author: STINNER Victor (vstinner) *	Date: 2017-12-18 16:29
https://security-tracker.debian.org/tracker/CVE-2017-17522 Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
msg308574 - (view)	Author: STINNER Victor (vstinner) *	Date: 2017-12-18 16:31
Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17522 Ubuntu: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17522.html SUSE: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2017-17522
msg313556 - (view)	Author: Ned Deily (ned.deily) *	Date: 2018-03-10 20:48
Update: https://security-tracker.debian.org/tracker/CVE-2017-17522 "** DISPUTED [...] NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting."
msg313804 - (view)	Author: Ned Deily (ned.deily) *	Date: 2018-03-14 05:39
And Red Hat has already closed their version of this as NOTABUG: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17522 It seems nearly everyone is agreement that this is not a security issue.

History
Date	User	Action	Args
2022-04-11 14:58:55	admin	set	github: 76548
2018-08-17 23:45:09	enedil	set	pull_requests: + pull_request8277
2018-03-14 05:39:44	ned.deily	set	status: open -> closed resolution: not a bug messages: + msg313804 stage: resolved
2018-03-10 20:48:11	ned.deily	set	nosy: + ned.deily messages: + msg313556
2017-12-19 11:45:41	pitrou	set	priority: normal -> high
2017-12-19 10:31:40	vstinner	set	nosy: + martin.panter
2017-12-18 16:57:52	cstratak	set	nosy: + cstratak
2017-12-18 16:31:33	vstinner	set	messages: + msg308574
2017-12-18 16:29:29	vstinner	set	title: CVE-2017-17522: webbrowser.py in Python does not validate strings -> [Security] CVE-2017-17522: webbrowser.py in Python does not validate strings
2017-12-18 16:29:03	vstinner	create