mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-04 00:48:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

bpo-42988: Remove the pydoc getfile feature (GH-25015)

Browse source 
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
This commit is contained in:
Victor Stinner 2021-03-29 14:40:40 +02:00 committed by GitHub
parent 4827483f47
commit 9b999479c0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 4 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Lib/test/test_pydoc.py
View file

@ -1374,18 +1374,12 @@ class PydocUrlHandlerTest(PydocBaseTest):
("topic?key=def", "Pydoc: KEYWORD def"),
("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
("foobar", "Pydoc: Error - foobar"),
("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
]
with self.restrict_walk_packages():
for url, title in requests:
self.call_url_handler(url, title)
path = string.__file__
title = "Pydoc: getfile " + path
url = "getfile?key=" + path
self.call_url_handler(url, title)
class TestHelper(unittest.TestCase):
def test_keywords(self):