Message389452
The "pydoc -p port" command only listen on the local link ("localhost") by default, even if it's possible to listen on another IPv4 address using -n HOSTNAME command line option.
While the "getfile" feature is convenient when the pydoc server is accessed from a different machine, I don't think that it's worth it, compared to the security risks and the complexity of PR 24285 and PR 24337 fixes.
I propose to simply remove the "getfile" feature with PR 25015, but keep links using file:// scheme. So we delegate the security to the web browser. If the web server is allowed to read sensitive data of a local Python file, it's not our problem: pydoc doesn't make things worse. |
|
Date |
User |
Action |
Args |
2021-03-24 13:41:34 | vstinner | set | recipients:
+ vstinner, lemburg, gregory.p.smith, ned.deily, lukasz.langa, serhiy.storchaka, mdk, hroncok, frenzy, kj |
2021-03-24 13:41:34 | vstinner | set | messageid: <1616593294.94.0.724662754225.issue42988@roundup.psfhosted.org> |
2021-03-24 13:41:34 | vstinner | link | issue42988 messages |
2021-03-24 13:41:34 | vstinner | create | |
|