Author kj
Recipients hroncok, kj, lemburg, mdk, vstinner
Date 2021-01-21.17:32:31
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1611250351.33.0.431917292149.issue42988@roundup.psfhosted.org>
In-reply-to
Content
I created a PR to remove the getfile function - now it just places the hyperlinked file path there but clicking on it won't render the file contents.

Personally I agree with Marc-Andre Lemburg's comments on how _url_handler probably has other vulnerabilities somewhere. But I don't really see an easy solution other than removing the web server altogether. It uses http.server, which has a disclaimer on the docs page saying it isn't recommended for production. Someone looking hard enough can probably find a few more vulnerabilities in http.server itself rather than just pydoc.

I think the "Allowlist populated while generating links" suggested by Julien is pretty clever. 

I thought about file: // approach too - it's probably the most secure. But it would require a lot of change (and also generating all the .py files to .html initially).

Maybe I'll make a PR exploring the other approaches if the current one isn't favorable.

Thanks for your time.
History
Date User Action Args
2021-01-21 17:32:31kjsetrecipients: + kj, lemburg, vstinner, mdk, hroncok
2021-01-21 17:32:31kjsetmessageid: <1611250351.33.0.431917292149.issue42988@roundup.psfhosted.org>
2021-01-21 17:32:31kjlinkissue42988 messages
2021-01-21 17:32:31kjcreate