[security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

[hroncok]

BPO	42988
Nosy	@malemburg, @gpshead, @vstinner, @ned-deily, @ambv, @serhiy-storchaka, @JulienPalard, @hroncok, @frenzymadness, @miss-islington, @Fidget-Spinner
PRs	bpo-42988: Improve pydoc web server security #24285 bpo-42988: Fix security issue in the pydoc server #24337 bpo-42988: Remove the pydoc getfile feature #25015 [3.9] bpo-42988: Remove the pydoc getfile feature (GH-25015) #25064 [3.8] bpo-42988: Remove the pydoc getfile feature (GH-25015) #25065 [3.7] bpo-42988: Remove the pydoc getfile feature (GH-25015) #25066 [3.6] bpo-42988: Remove the pydoc getfile feature (GH-25015) #25067

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2021-03-29.19:39:54.149>
created_at = <Date 2021-01-21.12:18:37.837>
labels = ['type-security', '3.8', '3.9', '3.10', '3.7', 'library']
title = '[security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem'
updated_at = <Date 2021-03-29.19:39:54.148>
user = 'https://github.com/hroncok'

bugs.python.org fields:

activity = <Date 2021-03-29.19:39:54.148>
actor = 'vstinner'
assignee = 'none'
closed = True
closed_date = <Date 2021-03-29.19:39:54.149>
closer = 'vstinner'
components = ['Library (Lib)']
creation = <Date 2021-01-21.12:18:37.837>
creator = 'hroncok'
dependencies = []
files = []
hgrepos = []
issue_num = 42988
keywords = ['patch']
message_count = 30.0
messages = ['385412', '385413', '385415', '385418', '385420', '385421', '385422', '385435', '385460', '385485', '385488', '385489', '385492', '385503', '385710', '385721', '385866', '386221', '386222', '388399', '388451', '388452', '388455', '388645', '389452', '389695', '389699', '389700', '389710', '389711']
nosy_count = 11.0
nosy_names = ['lemburg', 'gregory.p.smith', 'vstinner', 'ned.deily', 'lukasz.langa', 'serhiy.storchaka', 'mdk', 'hroncok', 'frenzy', 'miss-islington', 'kj']
pr_nums = ['24285', '24337', '25015', '25064', '25065', '25066', '25067']
priority = 'critical'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue42988'
versions = ['Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10']

[hroncok]

Hello Python security,
a Fedora user has reported the following security vulnerability to us (I was able to verify it):

Running pydoc -p allows other local users to extract arbitrary files.

Steps to Reproduce:

1. start pydoc on a port
2. as a different user guess or extract the port
3. call getfile on the server to extract arbitrary files, e.g. http://localhost:8888/getfile?key=/home/dave/.ssh/id_rsa

Actual results:
any local user on the multi-user system can read all my keys and secrets

Expected results:
Access is prevented.

Additional info:
At least a warning should be printed, that this is insecure on multi-user systems.

Python notebook works around this by providing a token that is required to access the notepad. Depending on the system being able to read arbitrary files can allow to impersonate my, by e.g. stealing my ssh-key (if it is non-encrypted)

I've originally reported this to security@python.org but I was asked to open a public issue here.

[JulienPalard]

Nice find! I am able to reproduce it too in many Python releases.

I see differnt ways we can fix it:

# Using a random secret generated at startup time

Used any way, like by providing an hmac on getfile urls to ensure they are signed with the server secret.

Con: getfile URLS won't work from a run to another run (the secret should be random and changed at every start), and can't be shared (do someone share them in the first place?)

# Allowlist according to sys.path

In getfile implementation, we can check if the asked path is under a path from sys.path.

Con: If someone have ~/ in sys.path, we still can access all its home, or if someone start it using python -m pydoc while being in its home directory as Python will prepend the cwd in sys.path.

# Allowlist populated while generating links

Idea is: each time the server generates a getfile link, the target is added to an allowlist.

Each time a getfile link is requested, if the file is not in the allowlist, request is denied.

Con: Refreshing a page won't work after a server restart (thus having an empty allowlist).

# fnmatch allowlist

We could allow only .py files.

Con: Secrets stored in .py files under user project could still be leaked.

-----------------

My personal preference goes for the allowlist populated while generating links.

[vstinner]

Downstream Fedora issue: https://bugzilla.redhat.com/show_bug.cgi?id=1917807