Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
python3.19550
CVE-2021-3426-inf-disclosure-pydoc-getfile.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2021-3426-inf-disclosure-pydoc-getfile.patch of Package python3.19550
From 5b1e50256b6532667b6d31debc350f6c7d3f30aa Mon Sep 17 00:00:00 2001 From: "Miss Islington (bot)" <31488909+miss-islington@users.noreply.github.com> Date: Mon, 29 Mar 2021 08:40:53 -0700 Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015) (GH-25067) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-2021-3426: Remove the "getfile" feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer. (cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048) Co-authored-by: Victor Stinner <vstinner@python.org> --- Lib/pydoc.py | 18 ---------- Lib/test/test_pydoc.py | 6 --- Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst | 4 ++ 3 files changed, 4 insertions(+), 24 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst --- a/Lib/pydoc.py +++ b/Lib/pydoc.py @@ -2311,9 +2311,6 @@ def _url_handler(url, content_type="text %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div> </body></html>''' % (title, css_link, html_navbar(), contents) - def filelink(self, url, path): - return '<a href="getfile?key=%s">%s</a>' % (url, path) - html = _HTMLDoc() @@ -2399,19 +2396,6 @@ def _url_handler(url, content_type="text 'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results)) return 'Search Results', contents - def html_getfile(path): - """Get and display a source file listing safely.""" - path = urllib.parse.unquote(path) - with tokenize.open(path) as fp: - lines = html.escape(fp.read()) - body = '<pre>%s</pre>' % lines - heading = html.heading( - '<big><big><strong>File Listing</strong></big></big>', - '#ffffff', '#7799ee') - contents = heading + html.bigsection( - 'File: %s' % path, '#ffffff', '#ee77aa', body) - return 'getfile %s' % path, contents - def html_topics(): """Index of topic texts available.""" @@ -2503,8 +2487,6 @@ def _url_handler(url, content_type="text op, _, url = url.partition('=') if op == "search?key": title, content = html_search(url) - elif op == "getfile?key": - title, content = html_getfile(url) elif op == "topic?key": # try topics first, then objects. try: --- a/Lib/test/test_pydoc.py +++ b/Lib/test/test_pydoc.py @@ -1052,18 +1052,12 @@ class PydocUrlHandlerTest(PydocBaseTest) ("topic?key=def", "Pydoc: KEYWORD def"), ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"), ("foobar", "Pydoc: Error - foobar"), - ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"), ] with self.restrict_walk_packages(): for url, title in requests: self.call_url_handler(url, title) - path = string.__file__ - title = "Pydoc: getfile " + path - url = "getfile?key=" + path - self.call_url_handler(url, title) - class TestHelper(unittest.TestCase): def test_keywords(self): --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst @@ -0,0 +1,4 @@ +CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which +could be abused to read arbitrary files on the disk (directory traversal +vulnerability). Moreover, even source code of Python modules can contain +sensitive data like passwords. Vulnerability reported by David Schwörer.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
