securing pydoc server

[devin]

BPO	22421
Nosy	@orsenthil
Files	pydoc_server_addr.patch issue22421.diff

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/orsenthil'
closed_at = <Date 2014-09-17.05:22:06.833>
created_at = <Date 2014-09-15.19:16:58.603>
labels = ['type-security', 'library']
title = 'securing pydoc server'
updated_at = <Date 2014-09-30.13:48:38.208>
user = 'https://bugs.python.org/devin'

bugs.python.org fields:

activity = <Date 2014-09-30.13:48:38.208>
actor = 'python-dev'
assignee = 'orsenthil'
closed = True
closed_date = <Date 2014-09-17.05:22:06.833>
closer = 'orsenthil'
components = ['Library (Lib)']
creation = <Date 2014-09-15.19:16:58.603>
creator = 'devin'
dependencies = []
files = ['36628', '36631']
hgrepos = []
issue_num = 22421
keywords = ['patch']
message_count = 6.0
messages = ['226935', '226947', '226954', '226980', '226981', '227918']
nosy_count = 4.0
nosy_names = ['orsenthil', 'Arfrever', 'devin', 'python-dev']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue22421'
versions = ['Python 3.3', 'Python 3.4', 'Python 3.5']

[devin]

Several years ago a patch was applied to set the default binding of the pydoc server to "localhost" instead of "0.0.0.0". It appears that the issue was reintroduced in a5a3ae9be1fb.

See previous issue: http://bugs.python.org/issue672656

$ ./python -m pydoc -b
Server ready at http://localhost:35593/
Server commands: [b]rowser, [q]uit
server> 

---

$ netstat -lnp | grep python
tcp        0      0 0.0.0.0:35593           0.0.0.0:*               LISTEN      2780/python

As a sidenote, I'm not sure why the localhost lookup breaks the test case on my linux machine, but it does.

[orsenthil]

The localhost breaking on your linux system might be due to improper /etc/hosts or is localhost pointing to an ipv6 address?

That said, I think it is okay to rely on 127.0.0.1 as host for running pydoc server. I am unsure why the initial check was done only for mac (and windows and linux are left to use localhost).

[orsenthil]

sys.platform is darwin since OS X 10.5. I am not sure when it's value was 'mac', So effectively the host was localhost on mac systems.

Directly setting the host value to localhost on all platforms may be right thing to do. Here is a patch with tests.

[python-dev]

New changeset c438f6aaafa9 by Senthil Kumaran in branch '3.3':
Issue bpo-22421 - Secure pydoc server run. Bind it to localhost instead of all interfaces.
https://hg.python.org/cpython/rev/c438f6aaafa9

New changeset d36c0f2ab821 by Senthil Kumaran in branch '3.4':
Merge from 3.3
https://hg.python.org/cpython/rev/d36c0f2ab821

New changeset 9f7b97fac919 by Senthil Kumaran in branch 'default':
Merge from 3.4
https://hg.python.org/cpython/rev/9f7b97fac919

[orsenthil]

2.7 was not affected and it was binding to localhost properly.

Since it is security related issue, I have fixed it in 3.3 as well.
Fix is now present in 3.4 and 3.5

[python-dev]

New changeset 02dae04b3e2b by Georg Brandl in branch '3.2':
Issue bpo-22421 - Secure pydoc server run. Bind it to localhost instead of all interfaces.
https://hg.python.org/cpython/rev/02dae04b3e2b