[New-bugs-announce] [issue42988] Information disclosure via pydoc -p

Miro Hrončok report at bugs.python.org
Thu Jan 21 07:18:37 EST 2021

New submission from Miro Hrončok <miro at hroncok.cz>:

Hello Python security,
a Fedora user has reported the following security vulnerability to us (I was able to verify it):

Running `pydoc -p` allows other local users to extract arbitrary files.

Steps to Reproduce:
1. start pydoc on a port
2. as a different user guess or extract the port
3. call getfile on the server to extract arbitrary files, e.g. http://localhost:8888/getfile?key=/home/dave/.ssh/id_rsa

Actual results:
any local user on the multi-user system can read all my keys and secrets

Expected results:
Access is prevented.

Additional info:
At least a warning should be printed, that this is insecure on multi-user systems.

Python notebook works around this by providing a token that is required to access the notepad. Depending on the system being able to read arbitrary files can allow to impersonate my, by  e.g. stealing my ssh-key (if it is non-encrypted) 

I've originally reported this to security at python.org but I was asked to open a public issue here.

components: Library (Lib)
messages: 385412
nosy: hroncok
priority: normal
severity: normal
status: open
title: Information disclosure via pydoc -p
type: security
versions: Python 3.10, Python 3.6, Python 3.7, Python 3.8, Python 3.9

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list