Hi Yao, I tend to agree with Ned. The support for “file:” URLs is by design. I don’t see any security problems. I suggest to close this.

In Issue 11662, it was decided that a web server redirecting to a “file:” URL was a security problem. This is because the mechanism that follows the redirect is automatic, and the target of the redirect is under the control of the remote server, not the local user or program. But other parts of the Python library still support “file:” URLs without causing any problems. Those URLs are under control of the caller, like in your “poc.py” file.

The /etc/passwd file may be readable by ordinary users. But /etc/shadow may require special permission to read, because it holds password hashes. Or it may not exist under that name, depending on the OS. If a web application calls “urllib.request.urlopen”, I think it is up to the application to validate the URL it passes. It may want to deny or limit access to specific directories, URL schemes, host names, etc. It is not up to Python to make those decisions.

When I tried your “webbrowser.open” demonstration, it made Firefox offer to “download” (i.e. copy) the “ls” executable file. I think this is normal behaviour, and does not indicate a security problem. A plausible use-case would be opening a local README.html file distributed with a program in a web browser.