Message385413
Nice find! I am able to reproduce it too in many Python releases.
I see differnt ways we can fix it:
# Using a random secret generated at startup time
Used any way, like by providing an hmac on getfile urls to ensure they are signed with the server secret.
Con: getfile URLS won't work from a run to another run (the secret should be random and changed at every start), and can't be shared (do someone share them in the first place?)
# Allowlist according to sys.path
In getfile implementation, we can check if the asked path is under a path from sys.path.
Con: If someone have ~/ in sys.path, we still can access all its home, or if someone start it using `python -m pydoc` while being in its home directory as Python will prepend the cwd in sys.path.
# Allowlist populated while generating links
Idea is: each time the server generates a getfile link, the target is added to an allowlist.
Each time a getfile link is requested, if the file is not in the allowlist, request is denied.
Con: Refreshing a page won't work after a server restart (thus having an empty allowlist).
# fnmatch allowlist
We could allow only `.py` files.
Con: Secrets stored in `.py` files under user project could still be leaked.
-----------------
My personal preference goes for the allowlist populated while generating links. |
|
Date |
User |
Action |
Args |
2021-01-21 12:58:23 | mdk | set | recipients:
+ mdk, hroncok |
2021-01-21 12:58:23 | mdk | set | messageid: <1611233903.16.0.601883137732.issue42988@roundup.psfhosted.org> |
2021-01-21 12:58:23 | mdk | link | issue42988 messages |
2021-01-21 12:58:22 | mdk | create | |
|