[issue22421] securing pydoc server
Roundup Robot added the comment: New changeset 02dae04b3e2b by Georg Brandl in branch '3.2': Issue #22421 - Secure pydoc server run. Bind it to localhost instead of all interfaces. https://hg.python.org/cpython/rev/02dae04b3e2b -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22421 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22421] securing pydoc server
Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com: -- nosy: +Arfrever ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22421 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22421] securing pydoc server
Senthil Kumaran added the comment: The localhost breaking on your linux system might be due to improper /etc/hosts or is localhost pointing to an ipv6 address? That said, I think it is okay to rely on 127.0.0.1 as host for running pydoc server. I am unsure why the initial check was done only for mac (and windows and linux are left to use localhost). -- nosy: +orsenthil ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22421 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22421] securing pydoc server
Changes by Antoine Pitrou pit...@free.fr: -- stage: - patch review versions: +Python 2.7, Python 3.4, Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22421 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22421] securing pydoc server
Senthil Kumaran added the comment: sys.platform is darwin since OS X 10.5. I am not sure when it's value was 'mac', So effectively the host was localhost on mac systems. Directly setting the host value to localhost on all platforms may be right thing to do. Here is a patch with tests. -- assignee: - orsenthil Added file: http://bugs.python.org/file36631/issue22421.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22421 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22421] securing pydoc server
Roundup Robot added the comment: New changeset c438f6aaafa9 by Senthil Kumaran in branch '3.3': Issue #22421 - Secure pydoc server run. Bind it to localhost instead of all interfaces. https://hg.python.org/cpython/rev/c438f6aaafa9 New changeset d36c0f2ab821 by Senthil Kumaran in branch '3.4': Merge from 3.3 https://hg.python.org/cpython/rev/d36c0f2ab821 New changeset 9f7b97fac919 by Senthil Kumaran in branch 'default': Merge from 3.4 https://hg.python.org/cpython/rev/9f7b97fac919 -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22421 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22421] securing pydoc server
Senthil Kumaran added the comment: 2.7 was not affected and it was binding to localhost properly. Since it is security related issue, I have fixed it in 3.3 as well. Fix is now present in 3.4 and 3.5 -- resolution: - fixed stage: patch review - resolved status: open - closed versions: +Python 3.3 -Python 2.7 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22421 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22421] securing pydoc server
New submission from Devin Cook: Several years ago a patch was applied to set the default binding of the pydoc server to localhost instead of 0.0.0.0. It appears that the issue was reintroduced in a5a3ae9be1fb. See previous issue: http://bugs.python.org/issue672656 $ ./python -m pydoc -b Server ready at http://localhost:35593/ Server commands: [b]rowser, [q]uit server --- $ netstat -lnp | grep python tcp0 0 0.0.0.0:35593 0.0.0.0:* LISTEN 2780/python As a sidenote, I'm not sure why the localhost lookup breaks the test case on my linux machine, but it does. -- components: Library (Lib) files: pydoc_server_addr.patch keywords: patch messages: 226935 nosy: devin priority: normal severity: normal status: open title: securing pydoc server type: security Added file: http://bugs.python.org/file36628/pydoc_server_addr.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22421 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com