René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Some supposedly invalid addresses in the documentation point toward malicious websites","articleBody":"## Describe the problem\r\n\r\nI found in the documentation about concurrency some examples that have been \"exploited\" by malicious people:\r\nin the [ThreadPoolExecutor Example](https://docs.python.org/3/library/concurrent.futures.html#threadpoolexecutor-example)\r\n```python\r\nimport concurrent.futures\r\nimport urllib.request\r\n\r\nURLS = ['http://www.foxnews.com/',\r\n        'http://www.cnn.com/',\r\n        'http://europe.wsj.com/',\r\n        'http://www.bbc.co.uk/',\r\n        'http://some-made-up-domain.com/']   # \u003c\u003c\u003c  (DO NOT TRY IT IN A BROWSER)\r\n...\r\n```\r\nThe last domain name is supposed to be non existent.\r\nHowever, when I tried the snippet, I got a valid response on second try (the first one woke up their server).\r\nIt's not problematic with the code example, since the code of the page is just plain text, but anyone trying to go there through their browser might end up in some kind of troubles...\r\n\r\nThe content of the hosted page is apparently a \"hard redirection\" toward... something :\r\n```js\r\n\u003chtml\u003e\u003chead\u003e\u003ctitle\u003eLoading...\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody\u003e\r\n    \u003cscript type='text/javascript'\u003ewindow.location.replace(\r\n        'http://some-made-up-domain.com/?ch=1\u0026js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTY3ODYxNjgxMywiaWF0IjoxNjc4NjA5NjEzLCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIydDVwdDM2ajgyNjU0YjRma281ZjhhMGciLCJuYmYiOjE2Nzg2MDk2MTMsInRzIjoxNjc4NjA5NjEzODAyNDEzfQ.H4l5qNGb5Ex8ehG3hxX_kWx8ODqTMRgJs0HBeQyCx1Q\u0026sid=a4f97e10-c0af-11ed-b324-9d77bf5b132c'\r\n        );\r\n    \u003c/script\u003e\r\n\u003c/body\u003e\r\n\u003c/html\u003e\r\n```\r\n## Expected solution\r\n\r\nAny invalid address in the docs should point to invalid page in trustful domains, to not allow this kind of security hole.\r\n\r\n---\r\n\r\nCheers\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-102630\n* gh-102664\n* gh-102665\n* gh-102666\n* gh-102667\n* gh-102668\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/Blind4Basics","@type":"Person","name":"Blind4Basics"},"datePublished":"2023-03-12T17:19:26.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":9},"url":"https://github.com/102627/cpython/issues/102627"}