From 9b999479c0022edfc9835a8a1f06e046f3881048 Mon Sep 17 00:00:00 2001 From: Victor Stinner Date: Mon, 29 Mar 2021 14:40:40 +0200 Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit CVE-2021-3426: Remove the "getfile" feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David SchwÃ¶rer. --- Lib/pydoc.py | 18 ------------------ Lib/test/test_pydoc.py | 6 ------ .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst | 4 ++++ 3 files changed, 4 insertions(+), 24 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst diff --git a/Lib/pydoc.py b/Lib/pydoc.py index 282a91799834..753ea97ba0c2 100755 --- a/Lib/pydoc.py +++ b/Lib/pydoc.py @@ -2456,9 +2456,6 @@ def _url_handler(url, content_type="text/html"): %s%s

''' % (title, css_link, html_navbar(), contents) - def filelink(self, url, path): - return '%s' % (url, path) - html = _HTMLDoc() @@ -2544,19 +2541,6 @@ def _url_handler(url, content_type="text/html"): 'key = %s' % key, '#ffffff', '#ee77aa', '
'.join(results)) return 'Search Results', contents - def html_getfile(path): - """Get and display a source file listing safely.""" - path = urllib.parse.unquote(path) - with tokenize.open(path) as fp: - lines = html.escape(fp.read()) - body = '

%s

' % lines - heading = html.heading( - 'File Listing', - '#ffffff', '#7799ee') - contents = heading + html.bigsection( - 'File: %s' % path, '#ffffff', '#ee77aa', body) - return 'getfile %s' % path, contents - def html_topics(): """Index of topic texts available.""" @@ -2648,8 +2632,6 @@ def _url_handler(url, content_type="text/html"): op, _, url = url.partition('=') if op == "search?key": title, content = html_search(url) - elif op == "getfile?key": - title, content = html_getfile(url) elif op == "topic?key": # try topics first, then objects. try: diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py index 2f502627f4d0..3bc0e9e6b53b 100644 --- a/Lib/test/test_pydoc.py +++ b/Lib/test/test_pydoc.py @@ -1374,18 +1374,12 @@ class PydocUrlHandlerTest(PydocBaseTest): ("topic?key=def", "Pydoc: KEYWORD def"), ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"), ("foobar", "Pydoc: Error - foobar"), - ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"), ] with self.restrict_walk_packages(): for url, title in requests: self.call_url_handler(url, title) - path = string.__file__ - title = "Pydoc: getfile " + path - url = "getfile?key=" + path - self.call_url_handler(url, title) - class TestHelper(unittest.TestCase): def test_keywords(self): diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst new file mode 100644 index 000000000000..4b42dd05305a --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst @@ -0,0 +1,4 @@ +CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which +could be abused to read arbitrary files on the disk (directory traversal +vulnerability). Moreover, even source code of Python modules can contain +sensitive data like passwords. Vulnerability reported by David SchwÃ¶rer. -- 2.47.3