Blame SOURCES/00360-CVE-2021-3426.patch

ba8dbd
From 5b1e50256b6532667b6d31debc350f6c7d3f30aa Mon Sep 17 00:00:00 2001
ba8dbd
From: "Miss Islington (bot)"
ba8dbd
 <31488909+miss-islington@users.noreply.github.com>
ba8dbd
Date: Mon, 29 Mar 2021 08:40:53 -0700
ba8dbd
Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
ba8dbd
 (GH-25067)
ba8dbd
MIME-Version: 1.0
ba8dbd
Content-Type: text/plain; charset=UTF-8
ba8dbd
Content-Transfer-Encoding: 8bit
ba8dbd
ba8dbd
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
ba8dbd
could be abused to read arbitrary files on the disk (directory
ba8dbd
traversal vulnerability). Moreover, even source code of Python
ba8dbd
modules can contain sensitive data like passwords. Vulnerability
ba8dbd
reported by David Schwörer.
ba8dbd
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
ba8dbd
ba8dbd
Co-authored-by: Victor Stinner <vstinner@python.org>
ba8dbd
---
ba8dbd
 Lib/pydoc.py                                   | 18 ------------------
ba8dbd
 Lib/test/test_pydoc.py                         |  6 ------
ba8dbd
 .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst   |  4 ++++
ba8dbd
 3 files changed, 4 insertions(+), 24 deletions(-)
ba8dbd
 create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
ba8dbd
ba8dbd
diff --git a/Lib/pydoc.py b/Lib/pydoc.py
ba8dbd
index b521a5504728c4..5247ef9ea27aa1 100644
ba8dbd
--- a/Lib/pydoc.py
ba8dbd
+++ b/Lib/pydoc.py
ba8dbd
@@ -2312,9 +2312,6 @@ def page(self, title, contents):
ba8dbd
 %s</head><body bgcolor="#f0f0f8">%s
%s
ba8dbd
 </body></html>''' % (title, css_link, html_navbar(), contents)
ba8dbd
 
ba8dbd
-        def filelink(self, url, path):
ba8dbd
-            return '%s' % (url, path)
ba8dbd
-
ba8dbd
 
ba8dbd
     html = _HTMLDoc()
ba8dbd
 
ba8dbd
@@ -2400,19 +2397,6 @@ def bltinlink(name):
ba8dbd
             'key = %s' % key, '#ffffff', '#ee77aa', '
'.join(results))
ba8dbd
         return 'Search Results', contents
ba8dbd
 
ba8dbd
-    def html_getfile(path):
ba8dbd
-        """Get and display a source file listing safely."""
ba8dbd
-        path = urllib.parse.unquote(path)
ba8dbd
-        with tokenize.open(path) as fp:
ba8dbd
-            lines = html.escape(fp.read())
ba8dbd
-        body = '
%s
' % lines
ba8dbd
-        heading = html.heading(
ba8dbd
-            '<big><big>File Listing</big></big>',
ba8dbd
-            '#ffffff', '#7799ee')
ba8dbd
-        contents = heading + html.bigsection(
ba8dbd
-            'File: %s' % path, '#ffffff', '#ee77aa', body)
ba8dbd
-        return 'getfile %s' % path, contents
ba8dbd
-
ba8dbd
     def html_topics():
ba8dbd
         """Index of topic texts available."""
ba8dbd
 
ba8dbd
@@ -2504,8 +2488,6 @@ def get_html_page(url):
ba8dbd
                 op, _, url = url.partition('=')
ba8dbd
                 if op == "search?key":
ba8dbd
                     title, content = html_search(url)
ba8dbd
-                elif op == "getfile?key":
ba8dbd
-                    title, content = html_getfile(url)
ba8dbd
                 elif op == "topic?key":
ba8dbd
                     # try topics first, then objects.
ba8dbd
                     try:
ba8dbd
diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
ba8dbd
index 00803d3305cb53..49bc3eb164b19c 100644
ba8dbd
--- a/Lib/test/test_pydoc.py
ba8dbd
+++ b/Lib/test/test_pydoc.py
ba8dbd
@@ -1052,18 +1052,12 @@ def test_url_requests(self):
ba8dbd
             ("topic?key=def", "Pydoc: KEYWORD def"),
ba8dbd
             ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
ba8dbd
             ("foobar", "Pydoc: Error - foobar"),
ba8dbd
-            ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
ba8dbd
             ]
ba8dbd
 
ba8dbd
         with self.restrict_walk_packages():
ba8dbd
             for url, title in requests:
ba8dbd
                 self.call_url_handler(url, title)
ba8dbd
 
ba8dbd
-            path = string.__file__
ba8dbd
-            title = "Pydoc: getfile " + path
ba8dbd
-            url = "getfile?key=" + path
ba8dbd
-            self.call_url_handler(url, title)
ba8dbd
-
ba8dbd
 
ba8dbd
 class TestHelper(unittest.TestCase):
ba8dbd
     def test_keywords(self):
ba8dbd
diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
ba8dbd
new file mode 100644
ba8dbd
index 00000000000000..4b42dd05305a83
ba8dbd
--- /dev/null
ba8dbd
+++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
ba8dbd
@@ -0,0 +1,4 @@
ba8dbd
+CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
ba8dbd
+could be abused to read arbitrary files on the disk (directory traversal
ba8dbd
+vulnerability). Moreover, even source code of Python modules can contain
ba8dbd
+sensitive data like passwords. Vulnerability reported by David Schwörer.