8000 bpo-42988: Remove the pydoc getfile feature (GH-25015) (GH-25067) · python/cpython@5b1e502 · GitHub
[go: up one dir, main page]
Skip to content
8000

Commit 5b1e502

Browse files
miss-islingtonvstinner
miss-islington
and
vstinner
authored
bpo-42988: Remove the pydoc getfile feature (GH-25015) (GH-25067)
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer. (cherry picked from commit 9b99947) Co-authored-by: Victor Stinner <vstinner@python.org>
1 parent 4134f15 commit 5b1e502

File tree

3 files changed

+4
-24
lines changed

3 files changed

+4
-24
lines changed

Lib/pydoc.py

Lines changed: 0 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -2312,9 +2312,6 @@ def page(self, title, contents):
23122312
%s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
23132313
</body></html>''' % (title, css_link, html_navbar(), contents)
23142314

2315-
def filelink(self, url, path):
2316-
return '<a href="getfile?key=%s">%s</a>' % (url, path)
2317-
23182315

23192316
html = _HTMLDoc()
23202317

@@ -2400,19 +2397,6 @@ def bltinlink(name):
24002397
'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
24012398
return 'Search Results', contents
24022399

2403-
def html_getfile(path):
2404-
"""Get and display a source file listing safely."""
2405-
path = urllib.parse.unquote(path)
2406-
with tokenize.open(path) as fp:
2407-
lines = html.escape(fp.read())
2408-
body = '<pre>%s</pre>' % lines
2409-
heading = html.heading(
2410-
'<big><big><strong>File Listing</strong></big></big>',
2411-
'#ffffff', '#7799ee')
2412-
contents = heading + html.bigsection(
2413-
'File: %s' % path, '#ffffff', '#ee77aa', body)
2414-
return 'getfile %s' % path, contents
2415-
24162400
def html_topics():
24172401
"""Index of topic texts available."""
24182402

@@ -2504,8 +2488,6 @@ def get_html_page(url):
25042488
op, _, url = url.partition('=')
25052489
if op == "search?key":
25062490
title, content = html_search(url)
2507-
elif op == "getfile?key":
2508-
title, content = html_getfile(url)
25092491
elif op == "topic?key":
25102492
# try topics first, then objects.
25112493
try:

Lib/test/test_pydoc.py

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1052,18 +1052,12 @@ def test_url_requests(self):
10521052
("topic?key=def", "Pydoc: KEYWORD def"),
10531053
("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
10541054
("foobar", "Pydoc: Error - foobar"),
1055-
("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
10561055
]
10571056

10581057
with self.restrict_walk_packages():
10591058
for url, title in requests:
10601059
self.call_url_handler(url, title)
10611060

1062-
path = string.__file__
1063-
title = "Pydoc: getfile " + path
1064-
url = "getfile?key=" + path
1065-
self.call_url_handler(url, title)
1066-
10671061

10681062
class TestHelper(unittest.TestCase):
10691063
def test_keywords(self):

Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
2+
could be abused to read arbitrary files on the disk (directory traversal
3+
vulnerability). Moreover, even source code of Python modules can contain
4+
sensitive data like passwords. Vulnerability reported by David Schwörer.

0 commit comments

Comments
 (0)
0