Author vstinner
Recipients hroncok, kj, lemburg, mdk, serhiy.storchaka, vstinner
Date 2021-01-22.10:58:13
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1611313094.01.0.422048370255.issue42988@roundup.psfhosted.org>
In-reply-to
Content
Fidget-Spinner wrote on the PR:
> AFAIK no. However, pydoc currently works by calling inspect on files it sees in path, and this may reveal private code as Marc-Andre Lemburg pointed out on the bpo. I will try the random url token he suggested via secrets.token_urlsafe to see if it helps.

pydoc shows global constant values in the doc. So yes, if you find a settings.py of a Django project, you can discover secrets.

I'm working on bpo-42955 "Add sys.module_names: list of stdlib module names (Python and extension modules)".

One option would be to restrict pydoc to stdlib modules by defaults, and ask to opt-in for discovery of any module installed on the system (sys.path).
History
Date User Action Args
2021-01-22 10:58:14vstinnersetrecipients: + vstinner, lemburg, serhiy.storchaka, mdk, hroncok, kj
2021-01-22 10:58:14vstinnersetmessageid: <1611313094.01.0.422048370255.issue42988@roundup.psfhosted.org>
2021-01-22 10:58:14vstinnerlinkissue42988 messages
2021-01-22 10:58:13vstinnercreate