New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
securing pydoc server #66611
Comments
Several years ago a patch was applied to set the default binding of the pydoc server to "localhost" instead of "0.0.0.0". It appears that the issue was reintroduced in a5a3ae9be1fb. See previous issue: http://bugs.python.org/issue672656 $ ./python -m pydoc -b
Server ready at http://localhost:35593/
Server commands: [b]rowser, [q]uit
server>
---
$ netstat -lnp | grep python
tcp 0 0 0.0.0.0:35593 0.0.0.0:* LISTEN 2780/python As a sidenote, I'm not sure why the localhost lookup breaks the test case on my linux machine, but it does. |
The localhost breaking on your linux system might be due to improper /etc/hosts or is localhost pointing to an ipv6 address? That said, I think it is okay to rely on 127.0.0.1 as host for running pydoc server. I am unsure why the initial check was done only for mac (and windows and linux are left to use localhost). |
sys.platform is darwin since OS X 10.5. I am not sure when it's value was 'mac', So effectively the host was localhost on mac systems. Directly setting the host value to localhost on all platforms may be right thing to do. Here is a patch with tests. |
New changeset c438f6aaafa9 by Senthil Kumaran in branch '3.3': New changeset d36c0f2ab821 by Senthil Kumaran in branch '3.4': New changeset 9f7b97fac919 by Senthil Kumaran in branch 'default': |
2.7 was not affected and it was binding to localhost properly. Since it is security related issue, I have fixed it in 3.3 as well. |
New changeset 02dae04b3e2b by Georg Brandl in branch '3.2': |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: