Author hroncok
Recipients hroncok
Date 2021-01-21.12:18:37
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1611231517.86.0.296188996897.issue42988@roundup.psfhosted.org>
In-reply-to
Content
Hello Python security,
a Fedora user has reported the following security vulnerability to us (I was able to verify it):

Running `pydoc -p` allows other local users to extract arbitrary files.

Steps to Reproduce:
1. start pydoc on a port
2. as a different user guess or extract the port
3. call getfile on the server to extract arbitrary files, e.g. http://localhost:8888/getfile?key=/home/dave/.ssh/id_rsa

Actual results:
any local user on the multi-user system can read all my keys and secrets

Expected results:
Access is prevented.

Additional info:
At least a warning should be printed, that this is insecure on multi-user systems.

Python notebook works around this by providing a token that is required to access the notepad. Depending on the system being able to read arbitrary files can allow to impersonate my, by  e.g. stealing my ssh-key (if it is non-encrypted) 



I've originally reported this to security@python.org but I was asked to open a public issue here.
History
Date User Action Args
2021-01-21 12:18:37hroncoksetrecipients: + hroncok
2021-01-21 12:18:37hroncoksetmessageid: <1611231517.86.0.296188996897.issue42988@roundup.psfhosted.org>
2021-01-21 12:18:37hroncoklinkissue42988 messages
2021-01-21 12:18:37hroncokcreate