Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Some supposedly invalid addresses in the documentation point toward malicious websites #102627

New issue
Copy link
New issue
Copy link
Closed
Closed
Some supposedly invalid addresses in the documentation point toward malicious websites#102627
Copy link
Assignees
gpshead
Labels
docsDocumentation in the Doc dirDocumentation in the Doc dir
@Blind4Basics

Description

@Blind4Basics
Blind4Basics
opened on Mar 12, 2023
Issue body actions

Describe the problem

I found in the documentation about concurrency some examples that have been "exploited" by malicious people:
in the ThreadPoolExecutor Example

import concurrent.futures
import urllib.request

URLS = ['http://www.foxnews.com/',
        'http://www.cnn.com/',
        'http://europe.wsj.com/',
        'http://www.bbc.co.uk/',
        'http://some-made-up-domain.com/']   # <<<  (DO NOT TRY IT IN A BROWSER)
...

The last domain name is supposed to be non existent.
However, when I tried the snippet, I got a valid response on second try (the first one woke up their server).
It's not problematic with the code example, since the code of the page is just plain text, but anyone trying to go there through their browser might end up in some kind of troubles...

The content of the hosted page is apparently a "hard redirection" toward... something :

<html><head><title>Loading...</title></head>
<body>
    <script type='text/javascript'>window.location.replace(
        'http://some-made-up-domain.com/?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTY3ODYxNjgxMywiaWF0IjoxNjc4NjA5NjEzLCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIydDVwdDM2ajgyNjU0YjRma281ZjhhMGciLCJuYmYiOjE2Nzg2MDk2MTMsInRzIjoxNjc4NjA5NjEzODAyNDEzfQ.H4l5qNGb5Ex8ehG3hxX_kWx8ODqTMRgJs0HBeQyCx1Q&sid=a4f97e10-c0af-11ed-b324-9d77bf5b132c'
        );
    </script>
</body>
</html>

Expected solution

Any invalid address in the docs should point to invalid page in trustful domains, to not allow this kind of security hole.

Cheers

Linked PRs

Metadata

Metadata

Assignees

Labels

docsDocumentation in the Doc dirDocumentation in the Doc dir

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    Morty Proxy This is a proxified and sanitized view of the page, visit original site.