This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients vstinner
Date 2019-02-18.11:00:52
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1550487653.15.0.496398912417.issue36021@roundup.psfhosted.org>
In-reply-to
Content 
The webbrowser module uses WindowsDefault which calls os.startfile() and so can be abused to run arbitrary commands.

WindowsDefault should do log a warning or raise an error if the URL is unsafe. I'm not sure how to build a list of safe URL schemes. At least, we can explicitly exclude "C:\WINDOWS\system32\calc.exe" which doesn't contain "://".

The union of all "uses_*" constants of urllib.parser give me this sorted list of URL schemes:

['', 'file', 'ftp', 'git', 'git+ssh', 'gopher', 'hdl', 'http', 'https', 'imap', 'mailto', 'mms', 'news', 'nfs', 'nntp', 'prospero', 'rsync', 'rtsp', 'rtspu', 'sftp', 'shttp', 'sip', 'sips', 'snews', 'svn', 'svn+ssh', 'tel', 'telnet', 'wais', 'ws', 'wss']

Would it make sense to ensure that urllib.parser can parse an email to check if the URL looks valid?
History
Date User Action Args
2019-02-18 11:00:53vstinnersetrecipients: + vstinner
2019-02-18 11:00:53vstinnersetmessageid: <1550487653.15.0.496398912417.issue36021@roundup.psfhosted.org>
2019-02-18 11:00:53vstinnerlinkissue36021 messages
2019-02-18 11:00:52vstinnercreate