mirrors
/
cpython
mirror of https://github.com/python/cpython.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

bpo-42988: Remove the pydoc getfile feature (GH-25015) 

CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b999479c0)

Co-authored-by: Victor Stinner <vstinner@python.org>
This commit is contained in:
Miss Islington (bot) 2021-03-29 06:08:00 -07:00 committed by GitHub
parent 9a8e078024
commit ed753d9485
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 4 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Lib/pydoc.py
View File

@ -2457,9 +2457,6 @@ def page(self, title, contents):
%s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div> %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
</body></html>''' % (title, css_link, html_navbar(), contents) </body></html>''' % (title, css_link, html_navbar(), contents)
def filelink(self, url, path):
return '<a href="getfile?key=%s">%s</a>' % (url, path)
html = _HTMLDoc() html = _HTMLDoc()
@ -2545,19 +2542,6 @@ def bltinlink(name):
'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results)) 'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
return 'Search Results', contents return 'Search Results', contents
def html_getfile(path):
"""Get and display a source file listing safely."""
path = urllib.parse.unquote(path)
with tokenize.open(path) as fp:
lines = html.escape(fp.read())
body = '<pre>%s</pre>' % lines
heading = html.heading(
'<big><big><strong>File Listing</strong></big></big>',
'#ffffff', '#7799ee')
contents = heading + html.bigsection(
'File: %s' % path, '#ffffff', '#ee77aa', body)
return 'getfile %s' % path, contents
def html_topics(): def html_topics():
"""Index of topic texts available.""" """Index of topic texts available."""
@ -2649,8 +2633,6 @@ def get_html_page(url):
op, _, url = url.partition('=') op, _, url = url.partition('=')
if op == "search?key": if op == "search?key":
title, content = html_search(url) title, content = html_search(url)
elif op == "getfile?key":
title, content = html_getfile(url)
elif op == "topic?key": elif op == "topic?key":
# try topics first, then objects. # try topics first, then objects.
try: try:

6
Lib/test/test_pydoc.py
View File

@ -1374,18 +1374,12 @@ def test_url_requests(self):
("topic?key=def", "Pydoc: KEYWORD def"), ("topic?key=def", "Pydoc: KEYWORD def"),
("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"), ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
("foobar", "Pydoc: Error - foobar"), ("foobar", "Pydoc: Error - foobar"),
("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
] ]
with self.restrict_walk_packages(): with self.restrict_walk_packages():
for url, title in requests: for url, title in requests:
self.call_url_handler(url, title) self.call_url_handler(url, title)
path = string.__file__
title = "Pydoc: getfile " + path
url = "getfile?key=" + path
self.call_url_handler(url, title)
class TestHelper(unittest.TestCase): class TestHelper(unittest.TestCase):
def test_keywords(self): def test_keywords(self):

4
Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst Normal file
View File

@ -0,0 +1,4 @@
CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
could be abused to read arbitrary files on the disk (directory traversal
vulnerability). Moreover, even source code of Python modules can contain
sensitive data like passwords. Vulnerability reported by David Schwörer.