Description of problem: running `pydoc -p` allows other local users to extract arbitrary files. Version-Release number of selected component (if applicable): python3-3.8.6-1.fc32.x86_64 How reproducible: if pydoc is running on a port Steps to Reproduce: 1. start pydoc on a port 2. as a different user guess or extract the port 3. call getfile on the server to extract arbitrary files, e.g. http://localhost:8888/getfile?key=/home/dave/.ssh/id_rsa.pub http://localhost:8888/getfile?key=/etc/shadow Actual results: any local user on the multi-user system can read all my keys and secrets Expected results: Access is prevented. Additional info: At least a warning should be printed, that this is insecure on multi-user systems. python notebook works around this by providing a token that is required to access the notepad. Depending on the system being able to read arbitrary files can allow to impersonate my, by e.g. stealing my ssh-key (if it is non-encrypted)
Marking this private for now.
I've sent this to security
(In reply to david08741 from comment #0) Thanks for reporting. May Red Hat Product Security acknowledge you for this report? If so, please state the name or pseudonym you wish to go by.
Sure, my name is David Schwörer <davidsch at fedoraproject dot org>
*** This bug has been marked as a duplicate of bug 1937476 ***