git.ipfire.org Git - thirdparty/Python/cpython.git/commit

bpo-42988: Remove the pydoc getfile feature (GH-25015) (#25066)

CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)

Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Victor Stinner <vstinner@python.org>

author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Mon, 29 Mar 2021 15:39:05 +0000 (08:39 -0700)
committer	GitHub <noreply@github.com>
	Mon, 29 Mar 2021 15:39:05 +0000 (11:39 -0400)
commit	7c2284f97d140c4e4a85382bfb3a42440be2464d
tree	6768febe5a18f410568a4452659d3769a519813f	tree \| snapshot
parent	79373951b3eab585d42e0f0ab83718cbe1d0ee33	commit \| diff

Lib/pydoc.py		diff \| blob \| blame \| history
Lib/test/test_pydoc.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst	[new file with mode: 0644]	blob