spyder-terminal icon indicating copy to clipboard operation
spyder-terminal copied to clipboard

Published 20 hours ago verified publisher icon spyder-ide

Unsecured terminal access

Open izahn opened this issue 2 years ago • 2 comments

Description of your problem

spyder-terminal runs an unsecured shell accessible to all users on the system, posing a huge security problem in multi-user environments.

What steps will reproduce the problem?

  1. Start spyder
  2. Use top or similar system monitor to identify the port that spyder_terminal.server is running on
  3. Open a web browser and navigate to localhost:<port> where <port> is the number identified in step 2

What is the expected output? What do you see instead?

I expect to see nothing, or at least be required to supply a password or token. Instead I immediately have full shell access through the web browser.

Please provide any additional information below

This might be OK on single-user systems, but in a HPC context where many users are logged in to the same computer it is a security disaster.

Versions and main components

  • Terminal Version: 1.2.2
  • Spyder Version: 5.3.0
  • Python Version: 3.9
  • Operating system: Linux

izahn avatar Apr 19 '22 09:04 izahn

Hey @izahn, thanks a lot for reporting this serious security problem, of which we were not fully aware. We discussed it with the team and concluded the fix is not simple.

However, we'll try to address it in the next couple of months due to its relevance.

ccordoba12 avatar Apr 22 '22 18:04 ccordoba12

Thanks guys, appreciate it!

izahn avatar Apr 22 '22 20:04 izahn