Some supposedly invalid addresses in the documentation point toward malicious websites

[Blind4Basics]

Describe the problem

I found in the documentation about concurrency some examples that have been "exploited" by malicious people:
in the ThreadPoolExecutor Example

import concurrent.futures
import urllib.request

URLS = ['http://www.foxnews.com/',
        'http://www.cnn.com/',
        'http://europe.wsj.com/',
        'http://www.bbc.co.uk/',
        'http://some-made-up-domain.com/']   # <<<  (DO NOT TRY IT IN A BROWSER)
...

The last domain name is supposed to be non existent.
However, when I tried the snippet, I got a valid response on second try (the first one woke up their server).
It's not problematic with the code example, since the code of the page is just plain text, but anyone trying to go there through their browser might end up in some kind of troubles...

The content of the hosted page is apparently a "hard redirection" toward... something :

">

<html><head><title>Loading...</title></head>
<body>
    <script type='text/javascript'>window.location.replace(
        'http://some-made-up-domain.com/?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTY3ODYxNjgxMywiaWF0IjoxNjc4NjA5NjEzLCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIydDVwdDM2ajgyNjU0YjRma281ZjhhMGciLCJuYmYiOjE2Nzg2MDk2MTMsInRzIjoxNjc4NjA5NjEzODAyNDEzfQ.H4l5qNGb5Ex8ehG3hxX_kWx8ODqTMRgJs0HBeQyCx1Q&sid=a4f97e10-c0af-11ed-b324-9d77bf5b132c'
        );
    </script>
</body>
</html>

Expected solution

Any invalid address in the docs should point to invalid page in trustful domains, to not allow this kind of security hole.

---

Cheers

Linked PRs

• gh-102627: Replace address pointing toward malicious web page #102630
• [3.11] gh-102627: Replace address pointing toward malicious web page (GH-102630) #102664
• [3.10] gh-102627: Replace address pointing toward malicious web page (GH-102630) #102665
• [3.9] gh-102627: Replace address pointing toward malicious web page (GH-102630) #102666
• [3.8] gh-102627: Replace address pointing toward malicious web page (GH-102630) #102667
• [3.7] gh-102627: Replace address pointing toward malicious web page (GH-102630) #102668

[CAM-Gerlach]

Thanks for the report. This issue appears to be in the Python documentation, not the devguide, so I'm transferring it there.

If the last example must be non-existent, it could presumably use a deliberately non-existing subdomain of the python.org domain, which we control, or a subdomain of the reserved example.com domain, or one of the other canonical example.* domains.

Could you list the other examples you've found here, so they can be fixed? Would you like to submit a PR to fix this, and any others you've found? Thanks!

[Mariatta]

I agree we should update such invalid urls. I would also suggest updating even the valid urls like fox news into perhaps other more Python-related websites, but that could be done as a separate PR.

[Blind4Basics]

oh, sorry for posting in the wrong repo...

I actually didn't search in other snippets. But in the same one, a second address is to be handled: 'http://europe.wsj.com/' (it still is invalid so far)
Edit: it might actually be better to use only addresses you control, even for valid ones? (oh, already pointed in the previous message... x) )

About the PR: maybe I'll give it a shot, but no guarantees.

[CAM-Gerlach]

I actually didn't search in other snippets. But in the same one, a second address is to be handled: 'http://europe.wsj.com/' (it still is invalid so far)

That one's not a security issue, since the WSJ domain is still owned by WSJ (presumably, they just changed their subdomain layout), and it just redirects rather than is actually broken. We might want to change those to point to more appropriate Python-related websites and avoid any political controversy, but as @Mariatta mentioned, that's a separate issue.

About the PR: maybe I'll give it a shot, but no guarantees.

It would be a great issue to get started with, since it's only a one-line docs change. The devguide lays out the steps (which I figure you're probably familiar with, given your GitHub history) but let us know if you need any help! Thanks!

[hugovk]

Also https://example.com, https://example.org and https://example.net are specifically reserved for documentation.

https://www.iana.org/domains/reserved

[Blind4Basics]

I made a try. Hopefully I didn't mess the workflow up, going through a fork...

[CAM-Gerlach]

Thanks! Reviewed it there.

[gpshead]

thanks for the PR. merged. the backports are approved and should merge themselves after CI or when the release managers get to them. (assigned to me just to double check that happening in the future)

[ned-deily]

All merged, thanks for the PR.