diff options
| author | Victor Stinner <vstinner@python.org> | 2021-03-29 12:40:40 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-29 12:40:40 (GMT) |
| commit | 9b999479c0022edfc9835a8a1f06e046f3881048 (patch) | |
| tree | 6a56be72c600d87ef99093f2af420a8ee6ae53f7 /Lib/test/test_pydoc.py | |
| parent | 4827483f47906fecee6b5d9097df2a69a293a85c (diff) | |
| download | cpython-9b999479c0022edfc9835a8a1f06e046f3881048.zip cpython-9b999479c0022edfc9835a8a1f06e046f3881048.tar.gz cpython-9b999479c0022edfc9835a8a1f06e046f3881048.tar.bz2 | |
bpo-42988: Remove the pydoc getfile feature (GH-25015)
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
Diffstat (limited to 'Lib/test/test_pydoc.py')
| -rw-r--r-- | Lib/test/test_pydoc.py | 6 |
1 files changed, 0 insertions, 6 deletions
diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py index 2f50262..3bc0e9e 100644 --- a/Lib/test/test_pydoc.py +++ b/Lib/test/test_pydoc.py @@ -1374,18 +1374,12 @@ class PydocUrlHandlerTest(PydocBaseTest): ("topic?key=def", "Pydoc: KEYWORD def"), ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"), ("foobar", "Pydoc: Error - foobar"), - ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"), ] with self.restrict_walk_packages(): for url, title in requests: self.call_url_handler(url, title) - path = string.__file__ - title = "Pydoc: getfile " + path - url = "getfile?key=" + path - self.call_url_handler(url, title) - class TestHelper(unittest.TestCase): def test_keywords(self): |