Marc-Andre Lemburg <m...@egenix.com> added the comment:
On 22.01.2021 01:28, STINNER Victor wrote: > > STINNER Victor <vstin...@python.org> added the comment: > >> I'd suggest to print a big warning on the console, explaining that the web >> server will potentially make all content accessible by the user visible to >> anyone else on the same server. > > I dislike this idea. If they are vulnerabilities, they should be fixed. Users > usually have no idea what to do when seeing such warning. The problem is that neither the docs nor the help text in the command make it clear what exactly is exposed via the web server pydoc launches. While the getfile API endpoint can be used to view non-Python files as well (which is certainly not intended), the tool also makes available all Python modules which can be found on sys.path of the user starting pydoc -p. It shows all doc-strings, functions, the class structure and literal values of any constants found in those modules. In a corporate environment this can easily result in data leaks of e.g. unreleased software, personal information, disclosure of NDA protected code, designs, algorithms and other secrets. Fixing just getfile or replacing those links with file:// ones will only address one part of the problem. The other is educating the user about possible consequences of running a server on the machine -- just like you warn users about deleting files before going ahead with it. Python's http.server at least warns about this in the docs: https://docs.python.org/3/library/http.server.html and limits the serving to the current dir (and subdirs). My guess is that pydoc -p really is just intended to be useful for the current user. Rather than having it serve files under a blanket URL, it could restrict browsing to a random URL token generated at pydoc startup and open this in the browser via the "b" command or the -b option, e.g. """ Server ready at http://localhost:8080/uLy6t87AD-ScPthd/ Server commands: [b]rowser, [q]uit server> """ That would make it harder to guess the base URL and limit exposure. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42988> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
