[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem
STINNER Victor
report at bugs.python.org
Thu Jan 21 08:55:20 EST 2021
STINNER Victor <vstinner at python.org> added the comment:
An option is also to remove the whole getfile feature. It was added in bpo-2001 by:
commit 7bb30b72d8a165f8bacbc480b8d5a15834fa4c35
Author: Nick Coghlan <ncoghlan at gmail.com>
Date: Fri Dec 3 09:29:11 2010 +0000
Improve Pydoc interactive browsing (#2001). Patch by Ron Adam.
* A -b option to start an enhanced browsing session.
* Allow -b and -p options to be used together.
* Specifying port 0 will pick an arbitrary unused socket port.
* A new browse() function to start the new server and browser.
* Show Python version information in the header.
* A *Get* field which takes the same input as the help() function.
* A *Search* field which replaces the Tkinter search box.
* Links to *Module Index*, *Topics*, and *Keywords*.
* Improved source file viewing.
* An HTMLDoc.filelink() method.
* The -g option and the gui() and serve() functions are deprecated.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42988>
_______________________________________
More information about the Python-bugs-list
mailing list