Unsecured terminal access

[izahn]

Description of your problem

spyder-terminal runs an unsecured shell accessible to all users on the system, posing a huge security problem in multi-user environments.

What steps will reproduce the problem?

1. Start spyder
2. Use top or similar system monitor to identify the port that spyder_terminal.server is running on
3. Open a web browser and navigate to localhost:<port> where <port> is the number identified in step 2

What is the expected output? What do you see instead?

I expect to see nothing, or at least be required to supply a password or token. Instead I immediately have full shell access through the web browser.

Please provide any additional information below

This might be OK on single-user systems, but in a HPC context where many users are logged in to the same computer it is a security disaster.

Versions and main components

• Terminal Version: 1.2.2
• Spyder Version: 5.3.0
• Python Version: 3.9
• Operating system: Linux

[ccordoba12]

Hey @izahn, thanks a lot for reporting this serious security problem, of which we were not fully aware. We discussed it with the team and concluded the fix is not simple.

However, we'll try to address it in the next couple of months due to its relevance.

[izahn]

Thanks guys, appreciate it!