diff options
| author |   Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2021-03-29 08:40:53 -0700 |
|---|---|---|
| committer |   Michał Górny <mgorny@gentoo.org> | 2021-04-03 01:26:39 +0200 |
| commit | 9bb39802fe1df2acc30e24871235f0ed8824ae3f (patch) | |
| tree | 8dad43b739e1bb1f3879e940f4e64ea2970df677 | |
| parent | [3.6] bpo-43285 Make ftplib not trust the PASV response. (GH-24838) (GH-24881... (diff) | |
| download | cpython-gentoo-3.6.13_p1.tar.gz cpython-gentoo-3.6.13_p1.tar.bz2 cpython-gentoo-3.6.13_p1.zip | |
bpo-42988: Remove the pydoc getfile feature (GH-25015) (GH-25067)gentoo-3.6.13_p1
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
Co-authored-by: Victor Stinner <vstinner@python.org>
| -rw-r--r-- | Lib/pydoc.py | 18 | ||||
| -rw-r--r-- | Lib/test/test_pydoc.py | 6 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst | 4 |
3 files changed, 4 insertions, 24 deletions
diff --git a/Lib/pydoc.py b/Lib/pydoc.py index b521a550472..5247ef9ea27 100644 --- a/Lib/pydoc.py +++ b/Lib/pydoc.py @@ -2312,9 +2312,6 @@ def _url_handler(url, content_type="text/html"): %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div> </body></html>''' % (title, css_link, html_navbar(), contents) - def filelink(self, url, path): - return '<a href="getfile?key=%s">%s</a>' % (url, path) - html = _HTMLDoc() @@ -2400,19 +2397,6 @@ def _url_handler(url, content_type="text/html"): 'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results)) return 'Search Results', contents - def html_getfile(path): - """Get and display a source file listing safely.""" - path = urllib.parse.unquote(path) - with tokenize.open(path) as fp: - lines = html.escape(fp.read()) - body = '<pre>%s</pre>' % lines - heading = html.heading( - '<big><big><strong>File Listing</strong></big></big>', - '#ffffff', '#7799ee') - contents = heading + html.bigsection( - 'File: %s' % path, '#ffffff', '#ee77aa', body) - return 'getfile %s' % path, contents - def html_topics(): """Index of topic texts available.""" @@ -2504,8 +2488,6 @@ def _url_handler(url, content_type="text/html"): op, _, url = url.partition('=') if op == "search?key": title, content = html_search(url) - elif op == "getfile?key": - title, content = html_getfile(url) elif op == "topic?key": # try topics first, then objects. try: diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py index 00803d3305c..49bc3eb164b 100644 --- a/Lib/test/test_pydoc.py +++ b/Lib/test/test_pydoc.py @@ -1052,18 +1052,12 @@ class PydocUrlHandlerTest(PydocBaseTest): ("topic?key=def", "Pydoc: KEYWORD def"), ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"), ("foobar", "Pydoc: Error - foobar"), - ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"), ] with self.restrict_walk_packages(): for url, title in requests: self.call_url_handler(url, title) - path = string.__file__ - title = "Pydoc: getfile " + path - url = "getfile?key=" + path - self.call_url_handler(url, title) - class TestHelper(unittest.TestCase): def test_keywords(self): diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst new file mode 100644 index 00000000000..4b42dd05305 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst @@ -0,0 +1,4 @@ +CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which +could be abused to read arbitrary files on the disk (directory traversal +vulnerability). Moreover, even source code of Python modules can contain +sensitive data like passwords. Vulnerability reported by David Schwörer. |