Author lemburg
Recipients hroncok, kj, lemburg, mdk, vstinner
Date 2021-01-22.09:05:04
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <3fb210c2-648e-f858-6ce8-6516de192548@egenix.com>
In-reply-to <1611275314.71.0.688633049666.issue42988@roundup.psfhosted.org>
Content
On 22.01.2021 01:28, STINNER Victor wrote:
> 
> STINNER Victor <vstinner@python.org> added the comment:
> 
>> I'd suggest to print a big warning on the console, explaining that the web server will potentially make all content accessible by the user visible to anyone else on the same server.
> 
> I dislike this idea. If they are vulnerabilities, they should be fixed. Users usually have no idea what to do when seeing such warning.

The problem is that neither the docs nor the help text in the command
make it clear what exactly is exposed via the web server pydoc
launches.

While the getfile API endpoint can be used to view non-Python files
as well (which is certainly not intended), the tool also makes available
all Python modules which can be found on sys.path of the user starting
pydoc -p. It shows all doc-strings, functions, the class structure and
literal values of any constants found in those modules.

In a corporate environment this can easily result in data leaks
of e.g. unreleased software, personal information, disclosure of
NDA protected code, designs, algorithms and other secrets.

Fixing just getfile or replacing those links with file:// ones will
only address one part of the problem. The other is educating the
user about possible consequences of running a server on the machine
-- just like you warn users about deleting files before going ahead
with it.

Python's http.server at least warns about this in the docs:
https://docs.python.org/3/library/http.server.html
and limits the serving to the current dir (and subdirs).

My guess is that pydoc -p really is just intended to be useful
for the current user. Rather than having it serve files under
a blanket URL, it could restrict browsing to a random URL
token generated at pydoc startup and open this in the browser
via the "b" command or the -b option, e.g.

"""
Server ready at http://localhost:8080/uLy6t87AD-ScPthd/
Server commands: [b]rowser, [q]uit
server>
"""

That would make it harder to guess the base URL and limit
exposure.
History
Date User Action Args
2021-01-22 09:05:05lemburgsetrecipients: + lemburg, vstinner, mdk, hroncok, kj
2021-01-22 09:05:05lemburglinkissue42988 messages
2021-01-22 09:05:04lemburgcreate