Hi Bernd - Thanks for the report!
I don't see a way for an attacker to inject command line arguments for a
couple of reasons:
1) On Ubuntu, webbrowser is always available. It is provided by
libpython2.7-stdlib, which python2.7 depends on.
2) You can't provide arbitrary URLs. The GUI version of pydoc pops up a
TK-based dialogue. If you click 'open browser', open() is called with a
url=None. If you search for a keyword, it has to exist and be selectable
in the search results before you can click 'go to selected'. I don't see
a way to pass an arbitrary, malicious URL.
3) Even if #1 and #2 above were not mitigating factors, an attacker
would have to trick the user into launching pydoc in graphical mode,
then search for a specially crafted keyword, and then click 'go to
selected'. There are easier ways to trick users into doing things that
open them up to attacks.
I suggest that you work with upstream Python to get this issue fixed if
you're worried about non-Ubuntu platforms where this might be a security
issue.
** Changed in: python2.7 (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1462470
Title:
pydoc.py uses old netscape navigator
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1462470/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
