MarkdownLivePreview
MarkdownLivePreview copied to clipboard
math2001
Use Python `webbrowser` module instead of `open_url` command to prevent arbitrary remote code execution.
When a link in a preview is clicked, this package uses the open_url command to open the URL of the link. The intended behavior is to open the link in a web browser. However, when you pass a file:// URL to open_url, this is basically like double-clicking the target of the URL. If the target is (say) a shell script, then that script will run. On some OSes, it is possible to specify file:// URLs referring to unknown remote file shares, and the OS will attempt to connect to the share. As a result, you can create a URL that will execute arbitrary code if you click on the link in the preview.
Instead, this package should use Python's built-in webbrowser module.
Are you sure that this will fix the problem though? From the Python documentation:
Note that on some platforms, trying to open a filename using this function, may work and start the operating system’s associated program. However, this is neither supported nor portable.
And doesn't open_url rely on something like webbrowser underneath (like a c equivalent)
