Ken Jin <kenjin4...@gmail.com> added the comment:
I created a PR to remove the getfile function - now it just places the hyperlinked file path there but clicking on it won't render the file contents. Personally I agree with Marc-Andre Lemburg's comments on how _url_handler probably has other vulnerabilities somewhere. But I don't really see an easy solution other than removing the web server altogether. It uses http.server, which has a disclaimer on the docs page saying it isn't recommended for production. Someone looking hard enough can probably find a few more vulnerabilities in http.server itself rather than just pydoc. I think the "Allowlist populated while generating links" suggested by Julien is pretty clever. I thought about file: // approach too - it's probably the most secure. But it would require a lot of change (and also generating all the .py files to .html initially). Maybe I'll make a PR exploring the other approaches if the current one isn't favorable. Thanks for your time. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42988> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
