[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem
STINNER Victor
report at bugs.python.org
Fri Jan 22 05:58:14 EST 2021
STINNER Victor <vstinner at python.org> added the comment:
Fidget-Spinner wrote on the PR:
> AFAIK no. However, pydoc currently works by calling inspect on files it sees in path, and this may reveal private code as Marc-Andre Lemburg pointed out on the bpo. I will try the random url token he suggested via secrets.token_urlsafe to see if it helps.
pydoc shows global constant values in the doc. So yes, if you find a settings.py of a Django project, you can discover secrets.
I'm working on bpo-42955 "Add sys.module_names: list of stdlib module names (Python and extension modules)".
One option would be to restrict pydoc to stdlib modules by defaults, and ask to opt-in for discovery of any module installed on the system (sys.path).
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42988>
_______________________________________
More information about the Python-bugs-list
mailing list