Message 336096 - Python tracker

Message336096

Author	vstinner
Recipients	eryksun, matrixise, mdk, paul.moore, steve.dower, tim.golden, vstinner, zach.ware
Date	2019-02-20.15:02:06
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1550674926.64.0.0673196129735.issue36021@roundup.psfhosted.org>
In-reply-to

Content
Maybe webbrowser must be changed to become very strict. For example, raise an error if the URL doesn't start with "http://" or "https://". But add an option to opt-in for "unsafe" URLs with a warning in the doc to explain the risk on Windows? Another option is to add an optional callback to validate the URL. As the 'verify' parameter of logging.config.listen(): https://docs.python.org/dev/library/logging.config.html#logging.config.listen "pydoc -b" runs a local HTTP server but it uses regular "http://" URLs, it doesn't use file://. Maybe only Windows should be modified, Unix is safe, no?

Content

Maybe webbrowser must be changed to become *very strict*. For example, raise an error if the URL doesn't start with "http://" or "https://". But add an option to opt-in for "unsafe" URLs with a warning in the doc to explain the risk on Windows?

Another option is to add an optional callback to validate the URL. As the 'verify' parameter of logging.config.listen():
https://docs.python.org/dev/library/logging.config.html#logging.config.listen

"pydoc -b" runs a local HTTP server but it uses regular "http://" URLs, it doesn't use file://.

Maybe only Windows should be modified, Unix is safe, no?

History
Date	User	Action	Args
2019-02-20 15:02:06	vstinner	set	recipients: + vstinner, paul.moore, tim.golden, zach.ware, eryksun, steve.dower, matrixise, mdk
2019-02-20 15:02:06	vstinner	set	messageid: <1550674926.64.0.0673196129735.issue36021@roundup.psfhosted.org>
2019-02-20 15:02:06	vstinner	link	issue36021 messages
2019-02-20 15:02:06	vstinner	create