Author lemburg
Recipients hroncok, lemburg, mdk, vstinner
Date 2021-01-21.13:44:38
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1611236678.56.0.408611827789.issue42988@roundup.psfhosted.org>
In-reply-to
Content
Looking at the _url_handler() code in pydoc.py, this was clearly not written with web server standards in mind. None of the handlers apply security checks on the user input and there are most likely several other vulnerabilities in there to be found.

It's not just the getfile query allowing reading arbitrary files. The user may well have code in his or her Python installation which is not meant to be published to other users on the same server.

I'd suggest to print a big warning on the console, explaining that the web server will potentially make all content accessible by the user visible to anyone else on the same server.

Perhaps adding some extra check to the html_getfile() handler would be good as well, making sure that the path is on sys.path and maps to a Python file (there could be non-Python file resources in package dirs as well).

Alternatively, perhaps the whole getfile logic could be removed and the web server just provide the path to the source file (as file:// link), so that the user can easily open it, but needs access permissions for this to be successful.
History
Date User Action Args
2021-01-21 13:44:38lemburgsetrecipients: + lemburg, vstinner, mdk, hroncok
2021-01-21 13:44:38lemburgsetmessageid: <1611236678.56.0.408611827789.issue42988@roundup.psfhosted.org>
2021-01-21 13:44:38lemburglinkissue42988 messages
2021-01-21 13:44:38lemburgcreate