Message 385413 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	mdk
Recipients	hroncok, mdk
Date	2021-01-21.12:58:22
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1611233903.16.0.601883137732.issue42988@roundup.psfhosted.org>
In-reply-to

Content
Nice find! I am able to reproduce it too in many Python releases. I see differnt ways we can fix it: # Using a random secret generated at startup time Used any way, like by providing an hmac on getfile urls to ensure they are signed with the server secret. Con: getfile URLS won't work from a run to another run (the secret should be random and changed at every start), and can't be shared (do someone share them in the first place?) # Allowlist according to sys.path In getfile implementation, we can check if the asked path is under a path from sys.path. Con: If someone have ~/ in sys.path, we still can access all its home, or if someone start it using `python -m pydoc` while being in its home directory as Python will prepend the cwd in sys.path. # Allowlist populated while generating links Idea is: each time the server generates a getfile link, the target is added to an allowlist. Each time a getfile link is requested, if the file is not in the allowlist, request is denied. Con: Refreshing a page won't work after a server restart (thus having an empty allowlist). # fnmatch allowlist We could allow only `.py` files. Con: Secrets stored in `.py` files under user project could still be leaked. ----------------- My personal preference goes for the allowlist populated while generating links.

Nice find! I am able to reproduce it too in many Python releases.

I see differnt ways we can fix it:


# Using a random secret generated at startup time

Used any way, like by providing an hmac on getfile urls to ensure they are signed with the server secret.

Con: getfile URLS won't work from a run to another run (the secret should be random and changed at every start), and can't be shared (do someone share them in the first place?)


# Allowlist according to sys.path

In getfile implementation, we can check if the asked path is under a path from sys.path.

Con: If someone have ~/ in sys.path, we still can access all its home, or if someone start it using `python -m pydoc` while being in its home directory as Python will prepend the cwd in sys.path.


# Allowlist populated while generating links

Idea is: each time the server generates a getfile link, the target is added to an allowlist.

Each time a getfile link is requested, if the file is not in the allowlist, request is denied.

Con: Refreshing a page won't work after a server restart (thus having an empty allowlist).


# fnmatch allowlist

We could allow only `.py` files.

Con: Secrets stored in `.py` files under user project could still be leaked.


-----------------

My personal preference goes for the allowlist populated while generating links.

History
Date	User	Action	Args
2021-01-21 12:58:23	mdk	set	recipients: + mdk, hroncok
2021-01-21 12:58:23	mdk	set	messageid: <1611233903.16.0.601883137732.issue42988@roundup.psfhosted.org>
2021-01-21 12:58:23	mdk	link	issue42988 messages
2021-01-21 12:58:22	mdk	create