Message385412
Hello Python security,
a Fedora user has reported the following security vulnerability to us (I was able to verify it):
Running `pydoc -p` allows other local users to extract arbitrary files.
Steps to Reproduce:
1. start pydoc on a port
2. as a different user guess or extract the port
3. call getfile on the server to extract arbitrary files, e.g. http://localhost:8888/getfile?key=/home/dave/.ssh/id_rsa
Actual results:
any local user on the multi-user system can read all my keys and secrets
Expected results:
Access is prevented.
Additional info:
At least a warning should be printed, that this is insecure on multi-user systems.
Python notebook works around this by providing a token that is required to access the notepad. Depending on the system being able to read arbitrary files can allow to impersonate my, by e.g. stealing my ssh-key (if it is non-encrypted)
I've originally reported this to security@python.org but I was asked to open a public issue here. |
|
Date |
User |
Action |
Args |
2021-01-21 12:18:37 | hroncok | set | recipients:
+ hroncok |
2021-01-21 12:18:37 | hroncok | set | messageid: <1611231517.86.0.296188996897.issue42988@roundup.psfhosted.org> |
2021-01-21 12:18:37 | hroncok | link | issue42988 messages |
2021-01-21 12:18:37 | hroncok | create | |
|