STINNER Victor <[email protected]> added the comment:
The "pydoc -p port" command only listen on the local link ("localhost") by
default, even if it's possible to listen on another IPv4 address using -n
HOSTNAME command line option.
While the "getfile" feature is convenient when the pydoc server is accessed
from a different machine, I don't think that it's worth it, compared to the
security risks and the complexity of PR 24285 and PR 24337 fixes.
I propose to simply remove the "getfile" feature with PR 25015, but keep links
using file:// scheme. So we delegate the security to the web browser. If the
web server is allowed to read sensitive data of a local Python file, it's not
our problem: pydoc doesn't make things worse.
----------
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue42988>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
