Message 42516 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	kasplat
Recipients
Date	2003-01-22.19:45:59
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to

Content
It would be very simple to secure the pydoc server so that it doesn't accept connections from external boxes as well as provide for a way of extending connections to trusted hosts by keeping a list of valid IP addresses. This would make pydoc suitable for running on boxes that aren't behind firewalls, which currently it is not; most home machines don't have a firewall and are regularly port scanned by script kiddies... Since pydoc does not log connections, you can't tell who is connecting to your machine or what they are trying to reach. My solution is to simply make the default pydoc server only accept connections from the host it was started on. The change is for the DocServer class. a validIPList keeps track of the IP addresses that can legally connect to the server. The verify_request method is overridden to enforce this rule. import socket self.validIPList = ['127.0.0.1'] self.validIPList.append(socket.gethostbyname (socket.gethostname())) def verify_request(self, request, client_address): if client_address[0] in self.validIPList: return 1 else: return 0 This patch does not provide a UI change to allow the user to easily add additional IP addresses. If that is desired because of the assumption that people typically run the pydoc server not for personal use, but for a group of machines to reach, then the simplest change would be to have a checkbox for "Allow any host to connect" and then have a self.allowAny member variable to reflect that checkbox state, so the verify_request becomes def verify_request(self, request, client_address): if self.allowAny or client_address[0] in self.validIPList: return 1 else: return 0 ka

It would be very simple to secure the pydoc server so 
that it doesn't accept connections from external boxes 
as well as provide for a way of extending connections to 
trusted hosts by keeping a list of valid IP addresses. 
This would make pydoc suitable for running on boxes 
that aren't behind firewalls, which currently it is not; 
most home machines don't have a firewall and are 
regularly port scanned by script kiddies...

Since pydoc does not log connections, you can't tell 
who is connecting to your machine or what they are 
trying to reach. My solution is to simply make the 
default pydoc server only accept connections from the 
host it was started on.

The change is for the DocServer class. a validIPList 
keeps track of the IP addresses that can legally connect 
to the server. The verify_request method is overridden to 
enforce this rule.

            import socket
            self.validIPList = ['127.0.0.1']
            self.validIPList.append(socket.gethostbyname
(socket.gethostname()))


        def verify_request(self, request, client_address):
            if client_address[0] in self.validIPList:
                return 1
            else:
                return 0

This patch does not provide a UI change to allow the 
user to easily add additional IP addresses. If that is 
desired because of the assumption that people typically 
run the pydoc server not for personal use, but for a group 
of machines to reach, then the simplest change would 
be to have a checkbox for "Allow any host to connect" 
and then have a self.allowAny member variable to reflect 
that checkbox state, so the verify_request becomes

    def verify_request(self, request, client_address):
        if self.allowAny or client_address[0] in 
self.validIPList:
            return 1
        else:
            return 0

ka

History
Date	User	Action	Args
2007-08-23 15:20:01	admin	link	issue672656 messages
2007-08-23 15:20:01	admin	create