CVE-2023-34457

Name of the Vulnerable Software and Affected Versions MechanicalSoup versions 0.2.0 through 1.2.x

Description A malicious web server can read arbitrary files on the client using a <input type="file" ...> inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took very specific (and manual) steps to reset HTML form field values. The issue arises from the browser.Browser.get request kwargs code, where the file path is taken from the bs4 tag "value" attribute, which can be set by a malicious server. For example, if a malicious web server sends an HTML form with an <input type="file" name="evil" value="/home/user/.ssh/id rsa" />, the MechanicalSoup browser will send the contents of the SSH private key when submitting the form.

Recommendations To resolve the issue, update to version 1.3.0 or later, which contains a patch for this issue. In version 1.3.0 and later, users must pass an open file object directly when setting input values for file fields, for example, using form.set input({"name": open("/path/to/filename", "rb")}). This change mitigates the security vulnerability where a malicious web server could read arbitrary files from the client. As a temporary workaround, consider manually resetting HTML form field values or avoiding the use of MechanicalSoup's form submission until a patch is applied.