From ed753d94856213ae9fc028195f670e66a24e2334 Mon Sep 17 00:00:00 2001 From: "Miss Islington (bot)" <31488909+miss-islington@users.noreply.github.com> Date: Mon, 29 Mar 2021 06:08:00 -0700 Subject: bpo-42988: Remove the pydoc getfile feature (GH-25015) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-2021-3426: Remove the "getfile" feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer. (cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048) Co-authored-by: Victor Stinner --- Lib/pydoc.py | 18 ------------------ 1 file changed, 18 deletions(-) (limited to 'Lib/pydoc.py') diff --git a/Lib/pydoc.py b/Lib/pydoc.py index 35ef3ebdc6..ffa4b62c1f 100755 --- a/Lib/pydoc.py +++ b/Lib/pydoc.py @@ -2457,9 +2457,6 @@ def _url_handler(url, content_type="text/html"): %s%s
%s
''' % (title, css_link, html_navbar(), contents) - def filelink(self, url, path): - return '%s' % (url, path) - html = _HTMLDoc() @@ -2545,19 +2542,6 @@ def _url_handler(url, content_type="text/html"): 'key = %s' % key, '#ffffff', '#ee77aa', '
'.join(results)) return 'Search Results', contents - def html_getfile(path): - """Get and display a source file listing safely.""" - path = urllib.parse.unquote(path) - with tokenize.open(path) as fp: - lines = html.escape(fp.read()) - body = '
%s
' % lines - heading = html.heading( - 'File Listing', - '#ffffff', '#7799ee') - contents = heading + html.bigsection( - 'File: %s' % path, '#ffffff', '#ee77aa', body) - return 'getfile %s' % path, contents - def html_topics(): """Index of topic texts available.""" @@ -2649,8 +2633,6 @@ def _url_handler(url, content_type="text/html"): op, _, url = url.partition('=') if op == "search?key": title, content = html_search(url) - elif op == "getfile?key": - title, content = html_getfile(url) elif op == "topic?key": # try topics first, then objects. try: -- cgit v1.2.1