This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author mdk
Recipients hroncok, mdk
Date 2021-01-21.12:58:22
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Nice find! I am able to reproduce it too in many Python releases.

I see differnt ways we can fix it:

# Using a random secret generated at startup time

Used any way, like by providing an hmac on getfile urls to ensure they are signed with the server secret.

Con: getfile URLS won't work from a run to another run (the secret should be random and changed at every start), and can't be shared (do someone share them in the first place?)

# Allowlist according to sys.path

In getfile implementation, we can check if the asked path is under a path from sys.path.

Con: If someone have ~/ in sys.path, we still can access all its home, or if someone start it using `python -m pydoc` while being in its home directory as Python will prepend the cwd in sys.path.

# Allowlist populated while generating links

Idea is: each time the server generates a getfile link, the target is added to an allowlist.

Each time a getfile link is requested, if the file is not in the allowlist, request is denied.

Con: Refreshing a page won't work after a server restart (thus having an empty allowlist).

# fnmatch allowlist

We could allow only `.py` files.

Con: Secrets stored in `.py` files under user project could still be leaked.


My personal preference goes for the allowlist populated while generating links.
Date User Action Args
2021-01-21 12:58:23mdksetrecipients: + mdk, hroncok
2021-01-21 12:58:23mdksetmessageid: <>
2021-01-21 12:58:23mdklinkissue42988 messages
2021-01-21 12:58:22mdkcreate