Closed
Description
Describe the problem
I found in the documentation about concurrency some examples that have been "exploited" by malicious people:
in the ThreadPoolExecutor Example
import concurrent.futures
import urllib.request
URLS = ['http://www.foxnews.com/',
'http://www.cnn.com/',
'http://europe.wsj.com/',
'http://www.bbc.co.uk/',
'http://some-made-up-domain.com/'] # <<< (DO NOT TRY IT IN A BROWSER)
...The last domain name is supposed to be non existent.
However, when I tried the snippet, I got a valid response on second try (the first one woke up their server).
It's not problematic with the code example, since the code of the page is just plain text, but anyone trying to go there through their browser might end up in some kind of troubles...
The content of the hosted page is apparently a "hard redirection" toward... something :
<html><head><title>Loading...</title></head>
<body>
<script type='text/javascript'>window.location.replace(
'http://some-made-up-domain.com/?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTY3ODYxNjgxMywiaWF0IjoxNjc4NjA5NjEzLCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIydDVwdDM2ajgyNjU0YjRma281ZjhhMGciLCJuYmYiOjE2Nzg2MDk2MTMsInRzIjoxNjc4NjA5NjEzODAyNDEzfQ.H4l5qNGb5Ex8ehG3hxX_kWx8ODqTMRgJs0HBeQyCx1Q&sid=a4f97e10-c0af-11ed-b324-9d77bf5b132c'
);
</script>
</body>
</html>Expected solution
Any invalid address in the docs should point to invalid page in trustful domains, to not allow this kind of security hole.
Cheers
Linked PRs
- gh-102627: Replace address pointing toward malicious web page #102630
- [3.11] gh-102627: Replace address pointing toward malicious web page (GH-102630) #102664
- [3.10] gh-102627: Replace address pointing toward malicious web page (GH-102630) #102665
- [3.9] gh-102627: Replace address pointing toward malicious web page (GH-102630) #102666
- [3.8] gh-102627: Replace address pointing toward malicious web page (GH-102630) #102667
- [3.7] gh-102627: Replace address pointing toward malicious web page (GH-102630) #102668