Source Code Disclosure (Python)
Description
This vulnerability occurs when Python source code files (.py) of a web application are directly accessible through HTTP requests due to server misconfiguration. Instead of executing the Python code, the web server serves the raw source files to anyone who requests them, exposing the application's internal logic, configuration details, and potentially sensitive data embedded in the code.
Remediation
Immediately restrict direct access to Python source code files by implementing the following measures:
1. Configure the web server properly: Ensure that .py files are not served as static content. For Apache, verify that Python files are handled by the appropriate handler (mod_wsgi, CGI, etc.) and add deny rules if needed. For Nginx, ensure .py files are passed to the application server (uWSGI, Gunicorn) rather than served directly.
2. Move source code outside the web root: Store Python application files outside the publicly accessible document root directory. Only static assets (CSS, JavaScript, images) should reside in the web root.
3. Implement access controls: Add explicit deny rules in your web server configuration:
<FilesMatch "\.py$">
Require all denied
</FilesMatch>4. Use a proper deployment structure: Deploy Python web applications using WSGI servers with reverse proxy configurations that prevent direct file access.
5. Verify the fix: After implementing changes, attempt to access .py files directly through the browser to confirm they are no longer accessible.