Julien Palard <julien+pyt...@palard.fr> added the comment:
Nice find! I am able to reproduce it too in many Python releases. I see differnt ways we can fix it: # Using a random secret generated at startup time Used any way, like by providing an hmac on getfile urls to ensure they are signed with the server secret. Con: getfile URLS won't work from a run to another run (the secret should be random and changed at every start), and can't be shared (do someone share them in the first place?) # Allowlist according to sys.path In getfile implementation, we can check if the asked path is under a path from sys.path. Con: If someone have ~/ in sys.path, we still can access all its home, or if someone start it using `python -m pydoc` while being in its home directory as Python will prepend the cwd in sys.path. # Allowlist populated while generating links Idea is: each time the server generates a getfile link, the target is added to an allowlist. Each time a getfile link is requested, if the file is not in the allowlist, request is denied. Con: Refreshing a page won't work after a server restart (thus having an empty allowlist). # fnmatch allowlist We could allow only `.py` files. Con: Secrets stored in `.py` files under user project could still be leaked. ----------------- My personal preference goes for the allowlist populated while generating links. ---------- nosy: +mdk _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42988> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com