I'm just learning Python, so bear with.
I was messing around with the webbrowser module and decided it was
pretty cool to have the browser open a URL from within a python script,
so I wrote a short script to open a local file the same way, using the
script file as an example target:
# browser-test.py
import webbrowser
import sys
pathname = sys.argv[0]
protocol = 'file://'
url = protocol + pathname
webbrowser.open (url)
And what I got, instead of a browser window with the text of my script,
was a sequence of DOS windows popping up and disappearing.
Apparently that's because either Windows (XP SP2) or the browser
(Firefox) was interpreting the .py file extension and running Python to
execute it.
So is this a known (mis)feature, and will it happen if I chance to use
webbrowser.open () on a remote .py file?
Because if so, it's a king-hell security hole.
--Blair 19 2363
Oh, uh, Python version 2.4.2, in case you're wondering.
--Blair
Blair P. Houghton wrote: I was messing around with the webbrowser module and decided it was pretty cool to have the browser open a URL from within a python script, so I wrote a short script to open a local file the same way, using the script file as an example target:
# browser-test.py import webbrowser import sys pathname = sys.argv[0] protocol = 'file://' url = protocol + pathname webbrowser.open (url)
And what I got, instead of a browser window with the text of my script, was a sequence of DOS windows popping up and disappearing.
Apparently that's because either Windows (XP SP2) or the browser (Firefox) was interpreting the .py file extension and running Python to execute it.
So is this a known (mis)feature, and will it happen if I chance to use webbrowser.open () on a remote .py file?
What happens when you load a remote .py file using the web browser
directly? With Firefox on my machine, it just displays the file, as
expected, whether loaded via webbrowser.open () or not. Make sure you're
testing with the same browser that webbrowser loads (try a regular HTML
file first if you're not sure which that is).
Because if so, it's a king-hell security hole.
It might probably worth a warning in the docs, but it's no larger a
security hole than the browser itself already has. If your browser is
configured to load files of a given type directly into a particular
application without first checking with you if you want it to do so,
you're potentially screwed already.
But is Firefox really your default browser? The webbrowser module could
be loading Internet Explorer on your machine, and we all know just how
safe *that* is...
-Peter
It sounds like you're running on windows *and* that webbrowser.py just
uses ``os.startfile` `.
For html files (associated with your default browser) this will *do the
right thing*. For everything else, it will *do the wrong thing*.
I could well be wrong though...
All the best,
Fuzzyman http://www.voidspace.org.uk/python/index.shtml
Does that only happen when you open file:// urls? You already have
local access from Python, so it'd be more concerning if it happened
with Python files on remote servers.
- Jason
I'm going to try it out on a remote server later today.
I did use this script to fetch remote HTML
(url='http://www.python.org' ) before I tired the remote file, and it
opened the webpage in Firefox.
I may also try to poke around in webbrowser.py, if possible, to see if
I can see whether it's selecting the executable for the given
extension, or passing it off to the OS. I would think, since Python is
not /supposed/ to have client-side scripting powers, that even when the
script is on the client this is bad behavior.
Just don't have the bandwidth, just now.
Anyone got a good regex that will always detect an extension that might
be considered a script? Or reject all but known non-scripted
extensions? Because wrapping the webbrowser.open () call would be the
workaround, and upgrading webbrowser.py would be a solution.
--Blair
Sorry...should read:
"I did use the script to fetch remote HTML
(url='http://www.python.org' ) before I tried the local file, and it
opened the webpage in Firefox."
Too many chars, too few fingers.
--Blair
Blair P. Houghton wrote: I'm going to try it out on a remote server later today.
Don't bother. I've confirmed the behaviour you saw, and that it is not
what I'd expect either. My Firefox certainly isn't configured to run
..py scripts even when invoked with the "file:" protocol, so webbrowser
is almost certainly Doing Bad Things on Windows.
The relevant code from webbrowser.py shows this, confirming FuzzyMan's
suspicions:
class WindowsDefault:
def open(self, url, new=0, autoraise=1):
os.startfile(ur l)
def open_new(self, url):
self.open(url)
I may also try to poke around in webbrowser.py, if possible, to see if I can see whether it's selecting the executable for the given extension, or passing it off to the OS. I would think, since Python is not /supposed/ to have client-side scripting powers, that even when the script is on the client this is bad behavior.
I'd agree. I suspect this ought to be reported as a security flaw,
though it would be nice to know what the fix should be before doing so.
Anyone know a more suitable approach on Windows than just passing
things off to startfile()?
Just don't have the bandwidth, just now.
Anyone got a good regex that will always detect an extension that might be considered a script? Or reject all but known non-scripted extensions?
Would it be sufficient in your case merely to allow only .html files to
be loaded? Or URLs without .extensions? Or even just permit only the
http: protocol?
-Peter
Peter Hansen wrote: I'd agree. I suspect this ought to be reported as a security flaw, though it would be nice to know what the fix should be before doing so. Anyone know a more suitable approach on Windows than just passing things off to startfile()?
It appears the correct approach might be something along the lines of
reading the registry to find what application is configured for the
"HTTP" protocol (HKCR->HTTP->shell->open->command) and run that, passing
it the URL. I think that would do what most people expect, even when
the URL actually passed specifies the "file" protocol and not "http".
Thoughts?
-Peter
Http protocol give the content-type in the http headers, so the
originating server determines how your browser is going to handle it,
not the client browser. I think the problem is that the 'file://'
protocol probably does use the registry keys above since it's not
getting any HTTP headers. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: WhenAmIOn.com |
last post by:
Hi all,
I developed a web site that uses javascript and XMLHTTP to dynamically load
info on the page from the server without having to re-load the page.
Recently I've received complaints of it not working, and the common thread
is that these users have Norton Internet Security installed (sorry, don't
know the version, but let's assume the latest). I don't have NIS. Can anyone
give me clear instructions as to how a user can change his/her...
|
by: eewwttww |
last post by:
how to save with only WebBrowser: save html+picture without dialog box?
what I Have is:
WebBrowser.ExecWB OLECMDID_SAVEAS, OLECMDEXECOPT_PROMPTUSER, 300, 300
I don't want this code.
I want same code like this:
WebBrowserSaveTo("c:\html\1\",htm+pic)
what I can do?
|
by: SPE - Stani's Python Editor |
last post by:
Hi,
During optimizing SPE for Ubuntu, I found something strange. I have
Ubuntu 5.10 "The Breezy Badger" and unfortunately this code is not
working:
>>> import webbrowser
>>> webbrowser.open("http://www.python.org")
It does not throw an exception, but is not able to launch a browser.
|
by: Bootstrap Bill |
last post by:
I have a Windows Form that uses the Microsoft WebBrowser control. If I load
an HTML file into the control that contains Jscript code, can the Jscript
code call a C# function in my Windows Form?
|
by: robin |
last post by:
hi
it seems to me like the webbrowser command
webbrowser.open('http://www...', new=0)
does not work as advertised: all the urls open in seperate windows
regardless of the default browser (safari, firefox, mozilla). i do not
have this problem on windows...
| |
by: gunimpi |
last post by:
http://www.vbforums.com/showthread.php?p=2745431#post2745431
********************************************************
VB6 OR VBA & Webbrowser DOM Tiny $50 Mini Project Programmer help
wanted
********************************************************
For this teeny job, please refer to:
http://feeds.reddit.com/feed/8fu/?o=25
|
by: Mike.Duffy |
last post by:
What is the default directory in the client file system that is used for
file urls?
From performing a few experiments, it is clear that an unqualified
reference from another file url is always directed to the source directory.
I.e., from within url "file://c:/abc/def.htm", if you make a reference like
<href="ghi.htm">, or <img src="jkl.gif">,the browser will look for
"file://c:/abc/ghi.htm" or "file://c:/abc/jkl.gif".
|
by: Ron Adam |
last post by:
Is anyone else having problems with the webbrowser module?
Python 2.5.1c1 (release25-maint, Apr 12 2007, 21:00:25)
on linux2
Type "help", "copyright", "credits" or "license" for more information.
True
It opens firefox as expected, but the url is ...
|
by: milhouse |
last post by:
Hey everyone,
I have an application with a simple built in webbrowser that allows users to click on a piece of data in another section of the app, and the webbrowser will open a URL for more information. However, after going thru several of these URLs, the webbrowser hangs and the entire app needs to be closed and restarted.
FWIW, these URLs also cause IE to hang if you view them there. Here are some example URLs:
...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |