mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-07-20 01:35:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

bpo-42988: Remove the pydoc getfile feature (GH-25015)

Browse source 
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b999479c0)

Co-authored-by: Victor Stinner <vstinner@python.org>
This commit is contained in:
Miss Islington (bot) 2021-03-29 06:08:00 -07:00 committed by GitHub
parent 9a8e078024
commit ed753d9485
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 4 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Lib/test/test_pydoc.py
View file

@ -1374,18 +1374,12 @@ class PydocUrlHandlerTest(PydocBaseTest):
("topic?key=def", "Pydoc: KEYWORD def"),
("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
("foobar", "Pydoc: Error - foobar"),
("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
]
with self.restrict_walk_packages():
for url, title in requests:
self.call_url_handler(url, title)
path = string.__file__
title = "Pydoc: getfile " + path
url = "getfile?key=" + path
self.call_url_handler(url, title)
class TestHelper(unittest.TestCase):
def test_keywords(self):