Author kj
Recipients hroncok, kj, lemburg, mdk, serhiy.storchaka, vstinner
Date 2021-01-26.15:52:42
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1611676363.22.0.936567299603.issue42988@roundup.psfhosted.org>
In-reply-to
Content
@Serhiy,

While this approach solves the getfile problem, I don't think this will solve the other problem of pydoc leaking secrets stored in python files:

Quoting from Marc-Andre Lemburg's message:
> the tool also makes available all Python modules which can be found on sys.path of the user starting pydoc -p. It shows all doc-strings, functions, the class structure and literal values of any constants found in those modules.
> In a corporate environment this can easily result in data leaks of e.g. unreleased software, personal information, disclosure of NDA protected code, designs, algorithms and other secrets.

Quoting from Victor's messages:
> pydoc shows global constant values in the doc. So yes, if you find a settings.py of a Django project, you can discover secrets.

Ultimately, the problem seems to be that .py files (other than those in the stdlib) may contain sensitive info, which pydoc can read.
History
Date User Action Args
2021-01-26 15:52:43kjsetrecipients: + kj, lemburg, vstinner, serhiy.storchaka, mdk, hroncok
2021-01-26 15:52:43kjsetmessageid: <1611676363.22.0.936567299603.issue42988@roundup.psfhosted.org>
2021-01-26 15:52:43kjlinkissue42988 messages
2021-01-26 15:52:42kjcreate