Message385489
Fidget-Spinner wrote on the PR:
> AFAIK no. However, pydoc currently works by calling inspect on files it sees in path, and this may reveal private code as Marc-Andre Lemburg pointed out on the bpo. I will try the random url token he suggested via secrets.token_urlsafe to see if it helps.
pydoc shows global constant values in the doc. So yes, if you find a settings.py of a Django project, you can discover secrets.
I'm working on bpo-42955 "Add sys.module_names: list of stdlib module names (Python and extension modules)".
One option would be to restrict pydoc to stdlib modules by defaults, and ask to opt-in for discovery of any module installed on the system (sys.path). |
|
Date |
User |
Action |
Args |
2021-01-22 10:58:14 | vstinner | set | recipients:
+ vstinner, lemburg, serhiy.storchaka, mdk, hroncok, kj |
2021-01-22 10:58:14 | vstinner | set | messageid: <1611313094.01.0.422048370255.issue42988@roundup.psfhosted.org> |
2021-01-22 10:58:14 | vstinner | link | issue42988 messages |
2021-01-22 10:58:13 | vstinner | create | |
|