diff --git a/Lib/pydoc.py b/Lib/pydoc.py index 35ef3ebdc688..ffa4b62c1f17 100755 --- a/Lib/pydoc.py +++ b/Lib/pydoc.py @@ -2457,9 +2457,6 @@ def page(self, title, contents): %s%s
%s
''' % (title, css_link, html_navbar(), contents) - def filelink(self, url, path): - return '%s' % (url, path) - html = _HTMLDoc() @@ -2545,19 +2542,6 @@ def bltinlink(name): 'key = %s' % key, '#ffffff', '#ee77aa', '
'.join(results)) return 'Search Results', contents - def html_getfile(path): - """Get and display a source file listing safely.""" - path = urllib.parse.unquote(path) - with tokenize.open(path) as fp: - lines = html.escape(fp.read()) - body = '
%s
' % lines - heading = html.heading( - 'File Listing', - '#ffffff', '#7799ee') - contents = heading + html.bigsection( - 'File: %s' % path, '#ffffff', '#ee77aa', body) - return 'getfile %s' % path, contents - def html_topics(): """Index of topic texts available.""" @@ -2649,8 +2633,6 @@ def get_html_page(url): op, _, url = url.partition('=') if op == "search?key": title, content = html_search(url) - elif op == "getfile?key": - title, content = html_getfile(url) elif op == "topic?key": # try topics first, then objects. try: diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py index ffabb7f1b940..0bbdc42c635b 100644 --- a/Lib/test/test_pydoc.py +++ b/Lib/test/test_pydoc.py @@ -1374,18 +1374,12 @@ def test_url_requests(self): ("topic?key=def", "Pydoc: KEYWORD def"), ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"), ("foobar", "Pydoc: Error - foobar"), - ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"), ] with self.restrict_walk_packages(): for url, title in requests: self.call_url_handler(url, title) - path = string.__file__ - title = "Pydoc: getfile " + path - url = "getfile?key=" + path - self.call_url_handler(url, title) - class TestHelper(unittest.TestCase): def test_keywords(self): diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst new file mode 100644 index 000000000000..4b42dd05305a --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst @@ -0,0 +1,4 @@ +CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which +could be abused to read arbitrary files on the disk (directory traversal +vulnerability). Moreover, even source code of Python modules can contain +sensitive data like passwords. Vulnerability reported by David Schwörer.