[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Ken Jin added the comment: @Serhiy, While this approach solves the getfile problem, I don't think this will solve the other problem of pydoc leaking secrets stored in python files: Quoting from Marc-Andre Lemburg's message: > the tool also makes available all Python modules which can be foun

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Change by STINNER Victor : -- pull_requests: -23159 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Change by STINNER Victor : -- pull_requests: +23159 pull_request: https://github.com/python/cpython/pull/24339 ___ Python tracker ___ __

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Change by STINNER Victor : -- pull_requests: -23157 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Change by STINNER Victor : -- pull_requests: +23157 pull_request: https://github.com/python/cpython/pull/24339 ___ Python tracker ___ __

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Serhiy Storchaka added the comment: PR 24337 uses different approach. It keeps compatibility, but checks that the argument is a file path of the source of one of modules (using the same algorithm as /search). -- ___ Python tracker

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Change by Serhiy Storchaka : -- pull_requests: +23156 pull_request: https://github.com/python/cpython/pull/24337 ___ Python tracker ___

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Ken Jin added the comment: I have updated the PR to do the following: - removed html_getfile - implement a unique secret as suggested above Now it says: >>> python.exe -m pydoc -b Server ready at http://localhost:52035/Y1YzOyEbitE9BB_dtH0YXbMgGXbcg3ytXLpvpg8P7GEM3z1hlCkTXgxaojtAordVqs2s6oHZH

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

STINNER Victor added the comment: > Python's http.server at least warns about this in the docs: > https://docs.python.org/3/library/http.server.html > and limits the serving to the current dir (and subdirs). I would be fine with a warning in the pydoc documentation, but I dislike warnings dis

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

STINNER Victor added the comment: Fidget-Spinner wrote on the PR: > AFAIK no. However, pydoc currently works by calling inspect on files it sees > in path, and this may reveal private code as Marc-Andre Lemburg pointed out > on the bpo. I will try the random url token he suggested via > secr

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Serhiy Storchaka added the comment: Why not limit the serving to sys.path? -- nosy: +serhiy.storchaka ___ Python tracker ___ ___ Py

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Marc-Andre Lemburg added the comment: On 22.01.2021 01:28, STINNER Victor wrote: > > STINNER Victor added the comment: > >> I'd suggest to print a big warning on the console, explaining that the web >> server will potentially make all content accessible by the user visible to >> anyone els

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

STINNER Victor added the comment: > I'd suggest to print a big warning on the console, explaining that the web > server will potentially make all content accessible by the user visible to > anyone else on the same server. I dislike this idea. If they are vulnerabilities, they should be fixed

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Ken Jin added the comment: I created a PR to remove the getfile function - now it just places the hyperlinked file path there but clicking on it won't render the file contents. Personally I agree with Marc-Andre Lemburg's comments on how _url_handler probably has other vulnerabilities somewh

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Change by Ken Jin : -- keywords: +patch nosy: +kj nosy_count: 4.0 -> 5.0 pull_requests: +23104 stage: -> patch review pull_request: https://github.com/python/cpython/pull/24285 ___ Python tracker ___

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

STINNER Victor added the comment: The getfile feature is used to display the source code of a Python module. For example, on the difflib documentation, there a link to difflib.py. If you click, a webpage displays the content of the file. I suggest to remove the whole feature. I don't think t

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

STINNER Victor added the comment: An option is also to remove the whole getfile feature. It was added in bpo-2001 by: commit 7bb30b72d8a165f8bacbc480b8d5a15834fa4c35 Author: Nick Coghlan Date: Fri Dec 3 09:29:11 2010 + Improve Pydoc interactive browsing (#2001). Patch by Ron Adam

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

STINNER Victor added the comment: I searched for "pydoc by Ka-Ping Yee" in Google and only found two online pydoc services: * https://gae-pydoc.appspot.com/ * http://www.cc.kyoto-su.ac.jp/~atsushi/Programs/VisualWorks/CSV2HTML/CSV2HTML_PyDoc/index_of_modules.html The first one runs on Pytho

[issue42988] Information disclosure via pydoc -p

Marc-Andre Lemburg added the comment: Looking at the _url_handler() code in pydoc.py, this was clearly not written with web server standards in mind. None of the handlers apply security checks on the user input and there are most likely several other vulnerabilities in there to be found. It

[issue42988] Information disclosure via pydoc -p

STINNER Victor added the comment: Downstream Fedora issue: https://bugzilla.redhat.com/show_bug.cgi?id=1917807 -- ___ Python tracker ___ __

[issue42988] Information disclosure via pydoc -p

Change by STINNER Victor : -- nosy: +vstinner ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.py

[issue42988] Information disclosure via pydoc -p

Julien Palard added the comment: Nice find! I am able to reproduce it too in many Python releases. I see differnt ways we can fix it: # Using a random secret generated at startup time Used any way, like by providing an hmac on getfile urls to ensure they are signed with the server secret.

[issue42988] Information disclosure via pydoc -p

New submission from Miro Hrončok : Hello Python security, a Fedora user has reported the following security vulnerability to us (I was able to verify it): Running `pydoc -p` allows other local users to extract arbitrary files. Steps to Reproduce: 1. start pydoc on a port 2. as a different user