E-C-D

**Name of the Vulnerable Software and Affected Versions** MechanicalSoup versions 0.2.0 through 1.2.x **Description** A malicious web server can read arbitrary files on the client using a `<input type="file" ...>` inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took very specific (and manual) steps to reset HTML form field values. The issue arises from the `browser.Browser.get request kwargs` code, where the file path is taken from the bs4 tag "value" attribute, which can be set by a malicious server. For example, if a malicious web server sends an HTML form with an `<input type="file" name="evil" value="/home/user/.ssh/id rsa" />`, the MechanicalSoup browser will send the contents of the SSH private key when submitting the form. **Recommendations** To resolve the issue, update to version 1.3.0 or later, which contains a patch for this issue. In version 1.3.0 and later, users must pass an open file object directly when setting input values for file fields, for example, using `form.set input({"name": open("/path/to/filename", "rb")})`. This change mitigates the security vulnerability where a malicious web server could read arbitrary files from the client. As a temporary workaround, consider manually resetting HTML form field values or avoiding the use of MechanicalSoup's form submission until a patch is applied.