Message385721
@Serhiy,
While this approach solves the getfile problem, I don't think this will solve the other problem of pydoc leaking secrets stored in python files:
Quoting from Marc-Andre Lemburg's message:
> the tool also makes available all Python modules which can be found on sys.path of the user starting pydoc -p. It shows all doc-strings, functions, the class structure and literal values of any constants found in those modules.
> In a corporate environment this can easily result in data leaks of e.g. unreleased software, personal information, disclosure of NDA protected code, designs, algorithms and other secrets.
Quoting from Victor's messages:
> pydoc shows global constant values in the doc. So yes, if you find a settings.py of a Django project, you can discover secrets.
Ultimately, the problem seems to be that .py files (other than those in the stdlib) may contain sensitive info, which pydoc can read. |
|
Date |
User |
Action |
Args |
2021-01-26 15:52:43 | kj | set | recipients:
+ kj, lemburg, vstinner, serhiy.storchaka, mdk, hroncok |
2021-01-26 15:52:43 | kj | set | messageid: <1611676363.22.0.936567299603.issue42988@roundup.psfhosted.org> |
2021-01-26 15:52:43 | kj | link | issue42988 messages |
2021-01-26 15:52:42 | kj | create | |
|