[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem
STINNER Victor
report at bugs.python.org
Thu Jan 21 08:57:51 EST 2021
STINNER Victor <vstinner at python.org> added the comment:
The getfile feature is used to display the source code of a Python module.
For example, on the difflib documentation, there a link to difflib.py. If you click, a webpage displays the content of the file.
I suggest to remove the whole feature. I don't think that it's so useful, compared to the vulnerability.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42988>
_______________________________________
More information about the Python-bugs-list
mailing list