I'm just learning Python, so bear with.
I was messing around with the webbrowser module and decided it was
pretty cool to have the browser open a URL from within a python script,
so I wrote a short script to open a local file the same way, using the
script file as an example target:
# browser-test.py
import webbrowser
import sys
pathname = sys.argv[0]
protocol = 'file://'
url = protocol + pathname
webbrowser.open (url)
And what I got, instead of a browser window with the text of my script,
was a sequence of DOS windows popping up and disappearing.
Apparently that's because either Windows (XP SP2) or the browser
(Firefox) was interpreting the .py file extension and running Python to
execute it.
So is this a known (mis)feature, and will it happen if I chance to use
webbrowser.open () on a remote .py file?
Because if so, it's a king-hell security hole.
--Blair
Jan 30 '06
19 2364
On Mon, 30 Jan 2006 16:00:25 -0500, Peter Hansen <pe***@engcorp. com> wrote: Blair P. Houghton wrote: I'm going to try it out on a remote server later today.
Don't bother. I've confirmed the behaviour you saw, and that it is not what I'd expect either. My Firefox certainly isn't configured to run .py scripts even when invoked with the "file:" protocol, so webbrowser is almost certainly Doing Bad Things on Windows.
The relevant code from webbrowser.py shows this, confirming FuzzyMan's suspicions:
class WindowsDefault: def open(self, url, new=0, autoraise=1): os.startfile(ur l)
def open_new(self, url): self.open(url)
I may also try to poke around in webbrowser.py, if possible, to see if I can see whether it's selecting the executable for the given extension, or passing it off to the OS. I would think, since Python is not /supposed/ to have client-side scripting powers, that even when the script is on the client this is bad behavior.
I'd agree. I suspect this ought to be reported as a security flaw, though it would be nice to know what the fix should be before doing so. Anyone know a more suitable approach on Windows than just passing things off to startfile()?
Just don't have the bandwidth, just now.
Anyone got a good regex that will always detect an extension that might be considered a script? Or reject all but known non-scripted extensions?
Would it be sufficient in your case merely to allow only .html files to be loaded? Or URLs without .extensions? Or even just permit only the http: protocol?
How about finding the browser via .html association and then letting that
handle the url? E.g., slong the lines of import os ft = os.popen('assoc .html').read(). split('=',1)[1].strip() ft
'MozillaHTML' os.popen('ftype %s'%ft).read(). split('=',1)[1].strip()
'D:\\MOZ\\MOZIL L~1\\MOZILL~1.E XE -url "%1"'
Regards,
Bengt Richter
Peter Hansen wrote: I'd agree. I suspect this ought to be reported as a security flaw, though it would be nice to know what the fix should be before doing so. Anyone know a more suitable approach on Windows than just passing things off to startfile()?
I wouldn't mind knowing if os.startfile is the best way to open
resources on Windows, and whether there's a meaningful distinction
between opening and editing resources that is exposed through an
existing Python library. My interest is in making the desktop module a
useful successor to webbrowser: http://www.python.org/pypi/desktop
Of course, since desktop.open leaves the exact meaning of "to open" to
the user's desktop configuration, if that configuration then causes a
Python program to be executed without some kind of confirmation,
there's a fairly good argument for claiming that the configuration is
broken - yes, it's the classic Microsoft convenience vs. security
dilemma, circa 1998.
For webbrowser, the opportunity to move blame to the user's environment
is somewhat reduced, since the expectation of "browsing" a Python
program would often be to show the text of that program. Given that
webbrowser, in order to do its work, may rely on some environment
mechanism that doesn't have the same view of "browsing" programs, there
is a good argument for decoupling the module from those mechanisms
entirely, although I can imagine that the resulting code would struggle
even then to do the right thing.
Paul
Bengt Richter wrote: How about finding the browser via .html association and then letting that handle the url? E.g., slong the lines of
>>> import os >>> ft = os.popen('assoc .html').read(). split('=',1)[1].strip() >>> ft 'MozillaHTML' >>> os.popen('ftype %s'%ft).read(). split('=',1)[1].strip()
'D:\\MOZ\\MOZIL L~1\\MOZILL~1.E XE -url "%1"'
I'm not certain that's safe in all cases. On my machine it does map to
Firefox, but there's also a registry class called "htmlfile" which I
think is used in some circumstances (not sure what they might be... this
crap is all black magic as far as I'm concerned), and on my machine it
is still pointing here:
"C:\Program Files\Internet Explorer\iexplo re.exe" -nohome
And that's even with Firefox set up as both the default browser and as
the browser to launch from the Start menu (which are not the same thing,
as I sadly learned while coming up with the "http" approach I mentioned
in another post).
-Peter
On 30 Jan 2006 14:39:29 -0800, "Paul Boddie" <pa**@boddie.or g.uk> wrote: Peter Hansen wrote: I'd agree. I suspect this ought to be reported as a security flaw, though it would be nice to know what the fix should be before doing so. Anyone know a more suitable approach on Windows than just passing things off to startfile()?
I wouldn't mind knowing if os.startfile is the best way to open resources on Windows, and whether there's a meaningful distinction between opening and editing resources that is exposed through an existing Python library. My interest is in making the desktop module a useful successor to webbrowser:
http://www.python.org/pypi/desktop
Of course, since desktop.open leaves the exact meaning of "to open" to the user's desktop configuration, if that configuration then causes a Python program to be executed without some kind of confirmation, there's a fairly good argument for claiming that the configuration is broken - yes, it's the classic Microsoft convenience vs. security dilemma, circa 1998.
For webbrowser, the opportunity to move blame to the user's environment is somewhat reduced, since the expectation of "browsing" a Python program would often be to show the text of that program. Given that webbrowser, in order to do its work, may rely on some environment mechanism that doesn't have the same view of "browsing" programs, there is a good argument for decoupling the module from those mechanisms entirely, although I can imagine that the resulting code would struggle even then to do the right thing.
I suppose a desktop config file with a sequence of regex patterns and associated defined actions
could dispatch urls to shell, browser, or custom app as desired, overriding
registry and/or browser settings by being first to decide. E.g., config might
have CSV-style command,params, ... lines like
define,editor,C :\WINNT\system3 2\vimr.cmd "%1"
define,browser, D:\MOZ\MOZILL~1 \MOZILL~1.EXE -url "%1"
define,savedial og,C:\util\save dialog.cmd "%1"
urlfilter,r'(?i )(\.py$|\.pyw|. \txt)$',editor
urlfilter,r'(?i )(\.htm[l]?|\.jpg|\.gif|\ .png|\.pdf)$',b rowser
urlfilter.r'(?i ).*',savedialog
(I think this is more generally powerful than typical .INI file structure,
since you can define a very simple interpreter to do about anything with the
CSV data rows in order, including nesting things, if you make commands
that enter and exit nests. E.g.,
pushdir,c:\tmp\ foo
....
popdir
log,file,c:\tem p\foo\log.txt
log,on
....
log,off
etc. etc)
Of course, you can jigger an INI file to contain any info you want also,
even using the windows {Get,Write}Priv ateProfile{Stri ng,Int,Section, SectionNames}
API functions, which like many MS APIs IME of yore seem to work simply if you conform to
their usage preconceptions, but punish you with info discovery hell otherwise ;-)
Regards,
Bengt Richter
>Would it be sufficient in your case merely to allow only .html files to be loaded? Or URLs without .extensions? Or even just permit only the http: protocol?
Personally, I'm just noodling around with this right now.
So "my case" is the abstract case. I think the solution if
one was needed would be to look at how something like
Firefox implements script detection and warns about it,
so all forms of scripts would be rejected.
I did try loading the .py file over a remote connection, and
it does seem to work as expected that way; i.e., I get a
browser window with the text of the script. So the
webbrowser.py module's handling of http:// accesses
is definitely different from its handling of file:// accesses.
--Blair
Blair P. Houghton wrote: Would it be sufficient in your case merely to allow only .html files to be loaded? Or URLs without .extensions? Or even just permit only the http: protocol? Personally, I'm just noodling around with this right now. So "my case" is the abstract case. I think the solution if one was needed would be to look at how something like Firefox implements script detection and warns about it, so all forms of scripts would be rejected.
I did try loading the .py file over a remote connection, and it does seem to work as expected that way; i.e., I get a browser window with the text of the script. So the
The server will send it with a Content-Type set to text/plain - so the
browser knows to treat it as text.
webbrowser.py module's handling of http:// accesses is definitely different from its handling of file:// accesses.
It's worth working out if this is down to webbrowser.py *or* Firefox.
Try launching firefox with the path to the py file and seeing what it
does.
If it is webbrowser.py then it is worth fixing.
All the best,
Fuzzyman http://www.voidspace.org.uk/python/index.shtml
--Blair
Fuzzyman wrote: Blair P. Houghton wrote:webbrowser. py module's handling of http:// accesses is definitely different from its handling of file:// accesses.
It's worth working out if this is down to webbrowser.py *or* Firefox. Try launching firefox with the path to the py file and seeing what it does.
If it is webbrowser.py then it is worth fixing.
I'm not sure if my posts got through a couple of days ago, but I thought
I already answered this. webbrowser.py calls os.startfile(), which just
passes things off to the OS. If it's an http:// call, the registry
entries point to Firefox (with a --url option, as I recall) but
os.startfile() obviously doesn't always just load a web browser, so if
the file happens to be a local .py file, it runs it.
I believe you'll get identical results if you pass the same url as you
are passing webbrowser.py to the START command:
start "" "file:///c:/svn/ccvi86/main.py"
On my machine that runs the file.
start "" "http://www.engcorp.com/main/files/ixcore.py"
And that one displays the file in Firefox.
So the bug, if it can be called that, is that on Windows webbrowser.py
doesn't do real work, but just passes responsibility to an underlying
function which works as expected only for http: protocol stuff.
-Peter
Peter Hansen wrote: Fuzzyman wrote: Blair P. Houghton wrote:webbrowser. py module's handling of http:// accesses is definitely different from its handling of file:// accesses. It's worth working out if this is down to webbrowser.py *or* Firefox. Try launching firefox with the path to the py file and seeing what it does.
If it is webbrowser.py then it is worth fixing.
I'm not sure if my posts got through a couple of days ago, but I thought I already answered this. webbrowser.py calls os.startfile(), which just passes things off to the OS. If it's an http:// call, the registry entries point to Firefox (with a --url option, as I recall) but os.startfile() obviously doesn't always just load a web browser, so if the file happens to be a local .py file, it runs it.
I believe you'll get identical results if you pass the same url as you are passing webbrowser.py to the START command:
start "" "file:///c:/svn/ccvi86/main.py"
On my machine that runs the file.
start "" "http://www.engcorp.com/main/files/ixcore.py"
And that one displays the file in Firefox.
So the bug, if it can be called that, is that on Windows webbrowser.py doesn't do real work, but just passes responsibility to an underlying function which works as expected only for http: protocol stuff.
I can't see your posts on google, but that's what I suggested might be
the case nearer the start of this thread. ;-)
Hmmm.... if it's not a bug, it at least needs documenting.
All the best,
Fuzzyman http://www.voidspace.org.uk/python/index.shtml
-Peter
Peter Hansen wrote: It appears the correct approach might be something along the lines of reading the registry to find what application is configured for the "HTTP" protocol (HKCR->HTTP->shell->open->command) and run that, passing it the URL. I think that would do what most people expect, even when the URL actually passed specifies the "file" protocol and not "http".
Yeah...but here's where my mind splits. I like security, but I'm not
sure I like the idea of breaking URL syntax and treating "file" as
"http" when it's explicitly specified...alt hough in the context of a
URL, that might be the user's intended use-case... so do we go with "do
the secure, probably expected thing" or "do the thing Tim Berners-Lee
designed it to do"?
Since the behavior is "correct" in the "http://" case (the text is
displayed in the browser), and any "file://" access has physical and
network security built into it by nature of never accessing outside the
user's already-accessible file domain, maybe it is "correct" that the
"file://" access be treated as though it was issued from a shell
command or file-explorer window. Which makes it no security hole at
all, it would seem...
--Blair
Blair P. Houghton wrote: Which makes it no security hole at all, it would seem...
Well, no, that's a little strong. No *new* security hole, maybe. It
would be on the order of having ./ in the PATH for root, and getting
trapped by a hacker who named his rootkit "ls" or "pwd". I.e., it puts
the onus on the caller user of determining what file is really being
accessed and what's really in it before it's ever opened for default
action.
So it's an insecurity that produces an annoyance that maybe could be
handled by the webbrowser.py module...
--Blair This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: WhenAmIOn.com |
last post by:
Hi all,
I developed a web site that uses javascript and XMLHTTP to dynamically load
info on the page from the server without having to re-load the page.
Recently I've received complaints of it not working, and the common thread
is that these users have Norton Internet Security installed (sorry, don't
know the version, but let's assume the latest). I don't have NIS. Can anyone
give me clear instructions as to how a user can change his/her...
|
by: eewwttww |
last post by:
how to save with only WebBrowser: save html+picture without dialog box?
what I Have is:
WebBrowser.ExecWB OLECMDID_SAVEAS, OLECMDEXECOPT_PROMPTUSER, 300, 300
I don't want this code.
I want same code like this:
WebBrowserSaveTo("c:\html\1\",htm+pic)
what I can do?
|
by: SPE - Stani's Python Editor |
last post by:
Hi,
During optimizing SPE for Ubuntu, I found something strange. I have
Ubuntu 5.10 "The Breezy Badger" and unfortunately this code is not
working:
>>> import webbrowser
>>> webbrowser.open("http://www.python.org")
It does not throw an exception, but is not able to launch a browser.
|
by: Bootstrap Bill |
last post by:
I have a Windows Form that uses the Microsoft WebBrowser control. If I load
an HTML file into the control that contains Jscript code, can the Jscript
code call a C# function in my Windows Form?
|
by: robin |
last post by:
hi
it seems to me like the webbrowser command
webbrowser.open('http://www...', new=0)
does not work as advertised: all the urls open in seperate windows
regardless of the default browser (safari, firefox, mozilla). i do not
have this problem on windows...
| |
by: gunimpi |
last post by:
http://www.vbforums.com/showthread.php?p=2745431#post2745431
********************************************************
VB6 OR VBA & Webbrowser DOM Tiny $50 Mini Project Programmer help
wanted
********************************************************
For this teeny job, please refer to:
http://feeds.reddit.com/feed/8fu/?o=25
|
by: Mike.Duffy |
last post by:
What is the default directory in the client file system that is used for
file urls?
From performing a few experiments, it is clear that an unqualified
reference from another file url is always directed to the source directory.
I.e., from within url "file://c:/abc/def.htm", if you make a reference like
<href="ghi.htm">, or <img src="jkl.gif">,the browser will look for
"file://c:/abc/ghi.htm" or "file://c:/abc/jkl.gif".
|
by: Ron Adam |
last post by:
Is anyone else having problems with the webbrowser module?
Python 2.5.1c1 (release25-maint, Apr 12 2007, 21:00:25)
on linux2
Type "help", "copyright", "credits" or "license" for more information.
True
It opens firefox as expected, but the url is ...
|
by: milhouse |
last post by:
Hey everyone,
I have an application with a simple built in webbrowser that allows users to click on a piece of data in another section of the app, and the webbrowser will open a URL for more information. However, after going thru several of these URLs, the webbrowser hangs and the entire app needs to be closed and restarted.
FWIW, these URLs also cause IE to hang if you view them there. Here are some example URLs:
...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |