Blame SOURCES/00360-CVE-2021-3426.patch

0fa7ed
From 5b1e50256b6532667b6d31debc350f6c7d3f30aa Mon Sep 17 00:00:00 2001
0fa7ed
From: "Miss Islington (bot)"
0fa7ed
 <31488909+miss-islington@users.noreply.github.com>
0fa7ed
Date: Mon, 29 Mar 2021 08:40:53 -0700
0fa7ed
Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
0fa7ed
 (GH-25067)
0fa7ed
MIME-Version: 1.0
0fa7ed
Content-Type: text/plain; charset=UTF-8
0fa7ed
Content-Transfer-Encoding: 8bit
0fa7ed
0fa7ed
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
0fa7ed
could be abused to read arbitrary files on the disk (directory
0fa7ed
traversal vulnerability). Moreover, even source code of Python
0fa7ed
modules can contain sensitive data like passwords. Vulnerability
0fa7ed
reported by David Schwörer.
0fa7ed
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
0fa7ed
0fa7ed
Co-authored-by: Victor Stinner <vstinner@python.org>
0fa7ed
---
0fa7ed
 Lib/pydoc.py                                   | 18 ------------------
0fa7ed
 Lib/test/test_pydoc.py                         |  6 ------
0fa7ed
 .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst   |  4 ++++
0fa7ed
 3 files changed, 4 insertions(+), 24 deletions(-)
0fa7ed
 create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
0fa7ed
0fa7ed
diff --git a/Lib/pydoc.py b/Lib/pydoc.py
0fa7ed
index b521a5504728c4..5247ef9ea27aa1 100644
0fa7ed
--- a/Lib/pydoc.py
0fa7ed
+++ b/Lib/pydoc.py
0fa7ed
@@ -2312,9 +2312,6 @@ def page(self, title, contents):
0fa7ed
 %s</head><body bgcolor="#f0f0f8">%s
%s
0fa7ed
 </body></html>''' % (title, css_link, html_navbar(), contents)
0fa7ed
 
0fa7ed
-        def filelink(self, url, path):
0fa7ed
-            return '%s' % (url, path)
0fa7ed
-
0fa7ed
 
0fa7ed
     html = _HTMLDoc()
0fa7ed
 
0fa7ed
@@ -2400,19 +2397,6 @@ def bltinlink(name):
0fa7ed
             'key = %s' % key, '#ffffff', '#ee77aa', '
'.join(results))
0fa7ed
         return 'Search Results', contents
0fa7ed
 
0fa7ed
-    def html_getfile(path):
0fa7ed
-        """Get and display a source file listing safely."""
0fa7ed
-        path = urllib.parse.unquote(path)
0fa7ed
-        with tokenize.open(path) as fp:
0fa7ed
-            lines = html.escape(fp.read())
0fa7ed
-        body = '
%s
' % lines
0fa7ed
-        heading = html.heading(
0fa7ed
-            '<big><big>File Listing</big></big>',
0fa7ed
-            '#ffffff', '#7799ee')
0fa7ed
-        contents = heading + html.bigsection(
0fa7ed
-            'File: %s' % path, '#ffffff', '#ee77aa', body)
0fa7ed
-        return 'getfile %s' % path, contents
0fa7ed
-
0fa7ed
     def html_topics():
0fa7ed
         """Index of topic texts available."""
0fa7ed
 
0fa7ed
@@ -2504,8 +2488,6 @@ def get_html_page(url):
0fa7ed
                 op, _, url = url.partition('=')
0fa7ed
                 if op == "search?key":
0fa7ed
                     title, content = html_search(url)
0fa7ed
-                elif op == "getfile?key":
0fa7ed
-                    title, content = html_getfile(url)
0fa7ed
                 elif op == "topic?key":
0fa7ed
                     # try topics first, then objects.
0fa7ed
                     try:
0fa7ed
diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
0fa7ed
index 00803d3305cb53..49bc3eb164b19c 100644
0fa7ed
--- a/Lib/test/test_pydoc.py
0fa7ed
+++ b/Lib/test/test_pydoc.py
0fa7ed
@@ -1052,18 +1052,12 @@ def test_url_requests(self):
0fa7ed
             ("topic?key=def", "Pydoc: KEYWORD def"),
0fa7ed
             ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
0fa7ed
             ("foobar", "Pydoc: Error - foobar"),
0fa7ed
-            ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
0fa7ed
             ]
0fa7ed
 
0fa7ed
         with self.restrict_walk_packages():
0fa7ed
             for url, title in requests:
0fa7ed
                 self.call_url_handler(url, title)
0fa7ed
 
0fa7ed
-            path = string.__file__
0fa7ed
-            title = "Pydoc: getfile " + path
0fa7ed
-            url = "getfile?key=" + path
0fa7ed
-            self.call_url_handler(url, title)
0fa7ed
-
0fa7ed
 
0fa7ed
 class TestHelper(unittest.TestCase):
0fa7ed
     def test_keywords(self):
0fa7ed
diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
0fa7ed
new file mode 100644
0fa7ed
index 00000000000000..4b42dd05305a83
0fa7ed
--- /dev/null
0fa7ed
+++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
0fa7ed
@@ -0,0 +1,4 @@
0fa7ed
+CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
0fa7ed
+could be abused to read arbitrary files on the disk (directory traversal
0fa7ed
+vulnerability). Moreover, even source code of Python modules can contain
0fa7ed
+sensitive data like passwords. Vulnerability reported by David Schwörer.