Message335957
Parsing an URL and deciding if an URL is "safe" or not is hard.
For example, PR 11931 denies "file://" URLs, but I don't see the issue with opening such URL:
file:///home/vstinner/prog/GIT/github.io/output/index.html
(local path to a HTML file)
The problem here is that os.startfile() can be abused to run arbitrary command.
Another option would be to behave as Unix classes: run directly as specific browser like Chrome or Firefox.
Maybe the registry can help? I found interesting keys:
"HKEY_CURRENT_USER\Software\Classes\BSURL\shell\open\command"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\Progid"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice\Progid"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice\Progid"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\Progid"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice\Progid"
"HKEY_CURRENT_USER\Software\Clients\StartmenuInternet\" |
|
Date |
User |
Action |
Args |
2019-02-19 15:50:06 | vstinner | set | recipients:
+ vstinner, paul.moore, tim.golden, zach.ware, steve.dower, matrixise, mdk |
2019-02-19 15:50:06 | vstinner | set | messageid: <1550591406.05.0.521348929805.issue36021@roundup.psfhosted.org> |
2019-02-19 15:50:06 | vstinner | link | issue36021 messages |
2019-02-19 15:50:05 | vstinner | create | |
|