This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients matrixise, mdk, paul.moore, steve.dower, tim.golden, vstinner, zach.ware
Date 2019-02-19.15:50:05
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1550591406.05.0.521348929805.issue36021@roundup.psfhosted.org>
In-reply-to
Content 
Parsing an URL and deciding if an URL is "safe" or not is hard.

For example, PR 11931 denies "file://" URLs, but I don't see the issue with opening such URL:
file:///home/vstinner/prog/GIT/github.io/output/index.html
(local path to a HTML file)

The problem here is that os.startfile() can be abused to run arbitrary command.

Another option would be to behave as Unix classes: run directly as specific browser like Chrome or Firefox.

Maybe the registry can help? I found interesting keys:

"HKEY_CURRENT_USER\Software\Classes\BSURL\shell\open\command"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\Progid"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice\Progid"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice\Progid"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\Progid"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice\Progid"
"HKEY_CURRENT_USER\Software\Clients\StartmenuInternet\"
History
Date User Action Args
2019-02-19 15:50:06vstinnersetrecipients: + vstinner, paul.moore, tim.golden, zach.ware, steve.dower, matrixise, mdk
2019-02-19 15:50:06vstinnersetmessageid: <1550591406.05.0.521348929805.issue36021@roundup.psfhosted.org>
2019-02-19 15:50:06vstinnerlinkissue36021 messages
2019-02-19 15:50:05vstinnercreate