[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem
Ken Jin
report at bugs.python.org
Thu Jan 21 12:32:31 EST 2021
Ken Jin <kenjin4096 at gmail.com> added the comment:
I created a PR to remove the getfile function - now it just places the hyperlinked file path there but clicking on it won't render the file contents.
Personally I agree with Marc-Andre Lemburg's comments on how _url_handler probably has other vulnerabilities somewhere. But I don't really see an easy solution other than removing the web server altogether. It uses http.server, which has a disclaimer on the docs page saying it isn't recommended for production. Someone looking hard enough can probably find a few more vulnerabilities in http.server itself rather than just pydoc.
I think the "Allowlist populated while generating links" suggested by Julien is pretty clever.
I thought about file: // approach too - it's probably the most secure. But it would require a lot of change (and also generating all the .py files to .html initially).
Maybe I'll make a PR exploring the other approaches if the current one isn't favorable.
Thanks for your time.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42988>
_______________________________________
More information about the Python-bugs-list
mailing list