[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Change by STINNER Victor : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Ned Deily added the comment: New changeset 5b1e50256b6532667b6d31debc350f6c7d3f30aa by Miss Islington (bot) in branch '3.6': bpo-42988: Remove the pydoc getfile feature (GH-25015) (GH-25067) https://github.com/python/cpython/commit/5b1e50256b6532667b6d31debc350f6c7d3f30aa --

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Ned Deily added the comment: New changeset 7c2284f97d140c4e4a85382bfb3a42440be2464d by Miss Islington (bot) in branch '3.7': bpo-42988: Remove the pydoc getfile feature (GH-25015) (#25066) https://github.com/python/cpython/commit/7c2284f97d140c4e4a85382bfb3a42440be2464d --

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

miss-islington added the comment: New changeset ed753d94856213ae9fc028195f670e66a24e2334 by Miss Islington (bot) in branch '3.9': bpo-42988: Remove the pydoc getfile feature (GH-25015) https://github.com/python/cpython/commit/ed753d94856213ae9fc028195f670e66a24e2334 --

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

miss-islington added the comment: New changeset 7e38d3309e0a5a7b9e23ef933aef0079c6e317f7 by Miss Islington (bot) in branch '3.8': bpo-42988: Remove the pydoc getfile feature (GH-25015) https://github.com/python/cpython/commit/7e38d3309e0a5a7b9e23ef933aef0079c6e317f7 --

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Change by miss-islington : -- pull_requests: +23817 pull_request: https://github.com/python/cpython/pull/25067 ___ Python tracker ___

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Change by miss-islington : -- pull_requests: +23816 pull_request: https://github.com/python/cpython/pull/25066 ___ Python tracker ___

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

STINNER Victor added the comment: New changeset 9b999479c0022edfc9835a8a1f06e046f3881048 by Victor Stinner in branch 'master': bpo-42988: Remove the pydoc getfile feature (GH-25015) https://github.com/python/cpython/commit/9b999479c0022edfc9835a8a1f06e046f3881048 --

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Change by miss-islington : -- pull_requests: +23815 pull_request: https://github.com/python/cpython/pull/25065 ___ Python tracker ___

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Change by miss-islington : -- nosy: +miss-islington nosy_count: 10.0 -> 11.0 pull_requests: +23814 pull_request: https://github.com/python/cpython/pull/25064 ___ Python tracker

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

STINNER Victor added the comment: The "pydoc -p port" command only listen on the local link ("localhost") by default, even if it's possible to listen on another IPv4 address using -n HOSTNAME command line option. While the "getfile" feature is convenient when the pydoc server is accessed

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Change by STINNER Victor : -- pull_requests: +23770 pull_request: https://github.com/python/cpython/pull/25015 ___ Python tracker ___

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Gregory P. Smith added the comment: FWIW, I don't think we should even have a server feature in pydoc... -- nosy: +gregory.p.smith ___ Python tracker ___

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Change by Lumír Balhar : -- nosy: +frenzy ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

STINNER Victor added the comment: Fedora downstream issue: https://bugzilla.redhat.com/show_bug.cgi?id=1937476 -- ___ Python tracker ___

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

STINNER Victor added the comment: I created https://python-security.readthedocs.io/vuln/pydoc-getfile.html to track this vulnerability. The is no CVE section yet since the CVE is currently only *RESERVED*. -- ___ Python tracker

[issue42988] [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Miro Hrončok added the comment: This is now CVE-2021-3426. -- title: [security] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem -> [security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read