diff --git a/Lib/pydoc.py b/Lib/pydoc.py index 978e4cd0baa5ba..9677c0d0468db0 100644 --- a/Lib/pydoc.py +++ b/Lib/pydoc.py @@ -2348,9 +2348,6 @@ def page(self, title, contents): %s%s
%s
''' % (title, css_link, html_navbar(), contents) - def filelink(self, url, path): - return '%s' % (url, path) - html = _HTMLDoc() @@ -2436,19 +2433,6 @@ def bltinlink(name): 'key = %s' % key, '#ffffff', '#ee77aa', '
'.join(results)) return 'Search Results', contents - def html_getfile(path): - """Get and display a source file listing safely.""" - path = urllib.parse.unquote(path) - with tokenize.open(path) as fp: - lines = html.escape(fp.read()) - body = '
%s
' % lines - heading = html.heading( - 'File Listing', - '#ffffff', '#7799ee') - contents = heading + html.bigsection( - 'File: %s' % path, '#ffffff', '#ee77aa', body) - return 'getfile %s' % path, contents - def html_topics(): """Index of topic texts available.""" @@ -2540,8 +2524,6 @@ def get_html_page(url): op, _, url = url.partition('=') if op == "search?key": title, content = html_search(url) - elif op == "getfile?key": - title, content = html_getfile(url) elif op == "topic?key": # try topics first, then objects. try: diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py index 198cea93eb52d7..baad8212c573dc 100644 --- a/Lib/test/test_pydoc.py +++ b/Lib/test/test_pydoc.py @@ -1049,18 +1049,12 @@ def test_url_requests(self): ("topic?key=def", "Pydoc: KEYWORD def"), ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"), ("foobar", "Pydoc: Error - foobar"), - ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"), ] with self.restrict_walk_packages(): for url, title in requests: self.call_url_handler(url, title) - path = string.__file__ - title = "Pydoc: getfile " + path - url = "getfile?key=" + path - self.call_url_handler(url, title) - class TestHelper(unittest.TestCase): def test_keywords(self): diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst new file mode 100644 index 00000000000000..4b42dd05305a83 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst @@ -0,0 +1,4 @@ +CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which +could be abused to read arbitrary files on the disk (directory traversal +vulnerability). Moreover, even source code of Python modules can contain +sensitive data like passwords. Vulnerability reported by David Schwörer.