Public bug reported:
File :
/usr/lib/python2.7/pydoc.py
line : 2216 ... 2226
pydoc.py uses old netscape navigator when the webbrowser module can not
be imported:
And it is vulnerable to shell command injection too,
because it uses os.system() wich allows shell commands in the parameter "url".
code :
def open(self, event=None, url=None):
url = url or self.server.url
try:
import webbrowser
webbrowser.open(url)
except ImportError: # pre-webbrowser.py compatibility
if sys.platform == 'win32':
os.system('start "%s"' % url)
else:
rc = os.system('netscape -remote "openURL(%s)" &' % url)
if rc: os.system('netscape "%s" &' % url)
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: libpython2.7-stdlib 2.7.9-2ubuntu3
ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
Uname: Linux 3.16.0-24-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: i386
CurrentDesktop: MATE
Date: Fri Jun 5 19:33:43 2015
InstallationDate: Installed on 2014-11-02 (214 days ago)
InstallationMedia: Ubuntu MATE 14.10 "Utopic Unicorn" - i386 (20141023)
SourcePackage: python2.7
UpgradeStatus: Upgraded to vivid on 2015-06-05 (0 days ago)
** Affects: python2.7 (Ubuntu)
Importance: Undecided
Status: New
** Tags: apport-bug i386 vivid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1462470
Title:
pydoc.py uses old netscape navigator
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1462470/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
