]> git.ipfire.org Git - thirdparty/Python/cpython.git/commit
projects / thirdparty / Python / cpython.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9a8e078) | patch
bpo-42988: Remove the pydoc getfile feature (GH-25015)
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Mon, 29 Mar 2021 13:08:00 +0000 (06:08 -0700)
committerGitHub <noreply@github.com>
Mon, 29 Mar 2021 13:08:00 +0000 (06:08 -0700)
commited753d94856213ae9fc028195f670e66a24e2334
treed2418e91f49bd8e6e0a5a6210b822efec9aa454ctree | snapshot
parent9a8e0780247acb256dd8b04c15b3dd0f59ef2fe1commit | diff
bpo-42988: Remove the pydoc getfile feature (GH-25015)

CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)

Co-authored-by: Victor Stinner <vstinner@python.org>
Lib/pydoc.py diff | blob | blame | history
Lib/test/test_pydoc.py diff | blob | blame | history
Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst [new file with mode: 0644] blob
Mirror of https://github.com/python/cpython.git