CVE-2023-34457

Advisory

MechanicalSoup is a Python library for automating interaction with websites. Starting in version 0.2.0 and prior to version 1.3.0, a malicious web server can read arbitrary files on the client using a '<input type="file" ...>' inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took very specific (and manual) steps to reset HTML form field values. Version 1.3.0 contains a patch for this issue.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

===========

Breaking changes
----------------

* To prevent malicious web servers from reading arbitrary files from the
client, files must now be opened explicitly by the user in order to
upload their contents in form submission. For example, instead of:

browser["upload"] = "/path/to/file"

you would now use:

browser["upload"] = open("/path/to/file", "rb")

This remediates
`CVE-2023-34457 <https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4>`__.
Our thanks to e-c-d for reporting and helping to fix the vulnerability!

Main changes
------------

* Added support for Python 3.11.

* Allow submitting a form with no submit element. This can be achieved by
passing ``submit=False`` to ``StatefulBrowser.submit_selected``. Thanks
alexreg!
[`480 <https://github.com/MechanicalSoup/MechanicalSoup/pull/411`__]

Resources

• https://pypi.org/project/mechanicalsoup
• https://pyup.io/changelogs/mechanicalsoup/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34457
• https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0
• https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4
• https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e