[New-bugs-announce] [issue42988] Information disclosure via pydoc -p
report at bugs.python.org
Thu Jan 21 07:18:37 EST 2021
New submission from Miro Hrončok <miro at hroncok.cz>:
Hello Python security,
a Fedora user has reported the following security vulnerability to us (I was able to verify it):
Running `pydoc -p` allows other local users to extract arbitrary files.
Steps to Reproduce:
1. start pydoc on a port
2. as a different user guess or extract the port
3. call getfile on the server to extract arbitrary files, e.g. http://localhost:8888/getfile?key=/home/dave/.ssh/id_rsa
any local user on the multi-user system can read all my keys and secrets
Access is prevented.
At least a warning should be printed, that this is insecure on multi-user systems.
Python notebook works around this by providing a token that is required to access the notepad. Depending on the system being able to read arbitrary files can allow to impersonate my, by e.g. stealing my ssh-key (if it is non-encrypted)
I've originally reported this to security at python.org but I was asked to open a public issue here.
components: Library (Lib)
title: Information disclosure via pydoc -p
versions: Python 3.10, Python 3.6, Python 3.7, Python 3.8, Python 3.9
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce