New submission from Miro Hrončok <m...@hroncok.cz>: Hello Python security, a Fedora user has reported the following security vulnerability to us (I was able to verify it):
Running `pydoc -p` allows other local users to extract arbitrary files. Steps to Reproduce: 1. start pydoc on a port 2. as a different user guess or extract the port 3. call getfile on the server to extract arbitrary files, e.g. http://localhost:8888/getfile?key=/home/dave/.ssh/id_rsa Actual results: any local user on the multi-user system can read all my keys and secrets Expected results: Access is prevented. Additional info: At least a warning should be printed, that this is insecure on multi-user systems. Python notebook works around this by providing a token that is required to access the notepad. Depending on the system being able to read arbitrary files can allow to impersonate my, by e.g. stealing my ssh-key (if it is non-encrypted) I've originally reported this to secur...@python.org but I was asked to open a public issue here. ---------- components: Library (Lib) messages: 385412 nosy: hroncok priority: normal severity: normal status: open title: Information disclosure via pydoc -p type: security versions: Python 3.10, Python 3.6, Python 3.7, Python 3.8, Python 3.9 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42988> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
