Author mdk
Recipients hroncok, mdk
Date 2021-01-21.12:58:22
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1611233903.16.0.601883137732.issue42988@roundup.psfhosted.org>
In-reply-to
Content
Nice find! I am able to reproduce it too in many Python releases.

I see differnt ways we can fix it:


# Using a random secret generated at startup time

Used any way, like by providing an hmac on getfile urls to ensure they are signed with the server secret.

Con: getfile URLS won't work from a run to another run (the secret should be random and changed at every start), and can't be shared (do someone share them in the first place?)


# Allowlist according to sys.path

In getfile implementation, we can check if the asked path is under a path from sys.path.

Con: If someone have ~/ in sys.path, we still can access all its home, or if someone start it using `python -m pydoc` while being in its home directory as Python will prepend the cwd in sys.path.


# Allowlist populated while generating links

Idea is: each time the server generates a getfile link, the target is added to an allowlist.

Each time a getfile link is requested, if the file is not in the allowlist, request is denied.

Con: Refreshing a page won't work after a server restart (thus having an empty allowlist).


# fnmatch allowlist

We could allow only `.py` files.

Con: Secrets stored in `.py` files under user project could still be leaked.


-----------------

My personal preference goes for the allowlist populated while generating links.
History
Date User Action Args
2021-01-21 12:58:23mdksetrecipients: + mdk, hroncok
2021-01-21 12:58:23mdksetmessageid: <1611233903.16.0.601883137732.issue42988@roundup.psfhosted.org>
2021-01-21 12:58:23mdklinkissue42988 messages
2021-01-21 12:58:22mdkcreate