[issue22421] securing pydoc server

2014-09-30 Thread Roundup Robot 

Roundup Robot added the comment:

New changeset 02dae04b3e2b by Georg Brandl in branch '3.2':
Issue #22421 - Secure pydoc server run. Bind it to localhost instead of all 
interfaces.
https://hg.python.org/cpython/rev/02dae04b3e2b

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22421
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22421] securing pydoc server

2014-09-30 Thread Arfrever Frehtes Taifersar Arahesis 

Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:


--
nosy: +Arfrever

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22421
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22421] securing pydoc server

2014-09-16 Thread Senthil Kumaran 

Senthil Kumaran added the comment:

The localhost breaking on your linux system might be due to improper /etc/hosts 
or is localhost pointing to an ipv6 address?

That said, I think it is okay to rely on 127.0.0.1 as host for running pydoc 
server. I am unsure why the initial check was done only for mac (and windows 
and linux are left to use localhost).

--
nosy: +orsenthil

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22421
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22421] securing pydoc server

2014-09-16 Thread Antoine Pitrou 

Changes by Antoine Pitrou pit...@free.fr:


--
stage:  - patch review
versions: +Python 2.7, Python 3.4, Python 3.5

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22421
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22421] securing pydoc server

2014-09-16 Thread Senthil Kumaran 

Senthil Kumaran added the comment:

sys.platform is darwin since OS X 10.5. I am not sure when it's value was 
'mac', So effectively the host was localhost on mac systems.

Directly setting the host value to localhost on all platforms may be right 
thing to do. Here is a patch with tests.

--
assignee:  - orsenthil
Added file: http://bugs.python.org/file36631/issue22421.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22421
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22421] securing pydoc server

2014-09-16 Thread Roundup Robot 

Roundup Robot added the comment:

New changeset c438f6aaafa9 by Senthil Kumaran in branch '3.3':
Issue #22421 - Secure pydoc server run. Bind it to localhost instead of all 
interfaces.
https://hg.python.org/cpython/rev/c438f6aaafa9

New changeset d36c0f2ab821 by Senthil Kumaran in branch '3.4':
Merge from 3.3
https://hg.python.org/cpython/rev/d36c0f2ab821

New changeset 9f7b97fac919 by Senthil Kumaran in branch 'default':
Merge from 3.4
https://hg.python.org/cpython/rev/9f7b97fac919

--
nosy: +python-dev

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22421
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22421] securing pydoc server

2014-09-16 Thread Senthil Kumaran 

Senthil Kumaran added the comment:

2.7 was not affected and it was binding to localhost properly.

Since it is security related issue, I have fixed it in 3.3 as well.
Fix is now present in 3.4 and 3.5

--
resolution:  - fixed
stage: patch review - resolved
status: open - closed
versions: +Python 3.3 -Python 2.7

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22421
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22421] securing pydoc server

2014-09-15 Thread Devin Cook 

New submission from Devin Cook:

Several years ago a patch was applied to set the default binding of the pydoc 
server to localhost instead of 0.0.0.0. It appears that the issue was 
reintroduced in a5a3ae9be1fb.

See previous issue: http://bugs.python.org/issue672656

$ ./python -m pydoc -b
Server ready at http://localhost:35593/
Server commands: [b]rowser, [q]uit
server 

---

$ netstat -lnp | grep python
tcp0  0 0.0.0.0:35593   0.0.0.0:*   LISTEN  
2780/python


As a sidenote, I'm not sure why the localhost lookup breaks the test case on my 
linux machine, but it does.

--
components: Library (Lib)
files: pydoc_server_addr.patch
keywords: patch
messages: 226935
nosy: devin
priority: normal
severity: normal
status: open
title: securing pydoc server
type: security
Added file: http://bugs.python.org/file36628/pydoc_server_addr.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22421
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com