Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreidyirtryq3auolol6cwy6odpjzmeubfej7uoznjradw63yqdc2rxq",
    "uri": "at://did:plc:4n6wgsqsqm6q2hjncgwmreey/app.bsky.feed.post/3mnru25z6vcg2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreiepvrcgvymmyql75tmtkka7omfbnmznynxiukjxcnanuvybhhkqeq"
    },
    "mimeType": "image/png",
    "size": 24785
  },
  "path": "/post/51674279",
  "publishedAt": "2026-06-08T09:00:06.000Z",
  "site": "https://programming.dev",
  "tags": [
    "Python",
    "logging_strict",
    "10 comments",
    "https://github.com/zaironjacobs/get-gecko-driver/issues/5",
    "get-gecko-driver",
    "get-chrome-driver",
    "webdriver-manager"
  ],
  "textContent": "submitted by logging_strict to python\n4 points | 10 comments\nhttps://github.com/zaironjacobs/get-gecko-driver/issues/5\n\nNot all coders are created equal. But there should be a line where we collectively just say, “Please stop”.\n\nWould like to say found two critical issues in two Python packages, but it’s obvious to a six year old. Not sure can claim credit for such in your face obvious issues.\n\nAnd since it’s so obvious, responsible disclosure kinda got kicked to the curb.\n\nThese libraries pin the required dependencies and test only one python interpreter, so lets just say had lowered expectations going in.\n\nget-gecko-driver and get-chrome-driver look like they are unneeded since both selenium and webdriver-manager can download selenium webdrivers. In the later two packages, web browser support is sparse; there is room for more flexibility. For example, support for waterfox, librewolf, and mullvad-browser.\n\nIssues summary:\n\n  1. downloader module can send a GET request to any URL. There is no URL whitelist. These packages can be used for cover when making arbitrary GET requests.\n\n  2. downloader can save anywhere on the file system. So can be used for other purposes besides downloading selenium webdriver.\n\n  3. no permission checks before saving/writing the file.\n\n  4. get_gecko_driver.downloader and get_chrome_driver.downloader are the exact same module.\n\n\n\n\nI lack confidence the author will respond, will be very pleasantly surprised if the author fix these issues in a timely manner. Nor confidence he’d do a good job. But at least these issues are disclosed and the ball is in his court.\n\nFor your entertainment:\n\nAll these coding errors are unforgivable and obvious to even a novice coder, a laymen, or a random drunk. It takes talent not to see it. If bothered to do unit testing, would be unavoidable to not see it.\n\nThese issues are both CRITICAL SECURITY issues.\n\nObvious is obvious, don’t kill the messenger, instead lets just fix this issue. The correct action is to quickly fix it and then just agree never to mention it again and pray there is no Darwin award for coders.",
  "title": "selenium webdriver or cover for arbitrary GET requests"
}