Predictable Flask Session Forging with MAC-Derived Random Seed
The web aplication exposes a /read endpoint that accepts a url parameter and fetches its content using urllib.urlopen. Direct use of file:// is blocked by a regex that matches strings starting with file, but the scheme local_file:// bypasses this filter because the check uses ^file.* without conside...