bpo-42988: Remove the pydoc getfile feature (GH-25015)

CVE-2021-3426: Remove the "getfile" feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
author: Victor Stinner <vstinner@python.org> 2021-03-29 12:40:40 (GMT)
committer: GitHub <noreply@github.com> 2021-03-29 12:40:40 (GMT)
commit: 9b999479c0022edfc9835a8a1f06e046f3881048 (patch)
tree: 6a56be72c600d87ef99093f2af420a8ee6ae53f7 /Misc/NEWS.d/next/Security
parent: 4827483f47906fecee6b5d9097df2a69a293a85c (diff)
download: cpython-9b999479c0022edfc9835a8a1f06e046f3881048.zip
cpython-9b999479c0022edfc9835a8a1f06e046f3881048.tar.gz
cpython-9b999479c0022edfc9835a8a1f06e046f3881048.tar.bz2
1 files changed, 4 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
new file mode 100644
index 0000000..4b42dd0
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
@@ -0,0 +1,4 @@
+CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
+could be abused to read arbitrary files on the disk (directory traversal
+vulnerability). Moreover, even source code of Python modules can contain
+sensitive data like passwords. Vulnerability reported by David Schwörer.
author	Victor Stinner <vstinner@python.org>	2021-03-29 12:40:40 (GMT)
committer	GitHub <noreply@github.com>	2021-03-29 12:40:40 (GMT)
commit	9b999479c0022edfc9835a8a1f06e046f3881048 (patch)
tree	6a56be72c600d87ef99093f2af420a8ee6ae53f7 /Misc/NEWS.d/next/Security
parent	4827483f47906fecee6b5d9097df2a69a293a85c (diff)
download	cpython-9b999479c0022edfc9835a8a1f06e046f3881048.zip cpython-9b999479c0022edfc9835a8a1f06e046f3881048.tar.gz cpython-9b999479c0022edfc9835a8a1f06e046f3881048.tar.bz2