Message313529
Here about webbrowser vulnerability.
https://bugs.python.org/issue32367
You could execute command with file protocols in python 2.7.10.
poc :
import webbrowser, os
filename = "/bin/ls"
webbrowser.open(os.path.realpath(filename))
If python has fixed this vulnerability,why can I access file:///etc/passwd? But I can't access /etc/shadow.Is this it fixed incomplete? |
|
Date |
User |
Action |
Args |
2018-03-10 14:20:19 | yao zhihua | set | recipients:
+ yao zhihua, orsenthil, ned.deily |
2018-03-10 14:20:19 | yao zhihua | set | messageid: <1520691619.05.0.467229070634.issue32993@psf.upfronthosting.co.za> |
2018-03-10 14:20:19 | yao zhihua | link | issue32993 messages |
2018-03-10 14:20:18 | yao zhihua | create | |
|