!80 fix CVE-2021-3426

From: @tong_1001 Reviewed-by: @hanxinke Signed-off-by: @hanxinke
2021-06-01 11:03:06 +08:00 · 2021-06-01 11:03:06 +08:00 · b759b327f3
commit b759b327f3
parent f52241bbd6 d004b266e9
2 changed files with 114 additions and 1 deletions
--- a/backport-CVE-2021-3426.patch
+++ b/backport-CVE-2021-3426.patch
@ -0,0 +1,105 @@
 From 7c2284f97d140c4e4a85382bfb3a42440be2464d Mon Sep 17 00:00:00 2001
 From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
 Date: Mon, 29 Mar 2021 08:39:05 -0700
 Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
 (#25066)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Reference:https://github.com/python/cpython/commit/7c2284f97d140c4e4a85382bfb3a42440be2464d
 CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
 could be abused to read arbitrary files on the disk (directory
 traversal vulnerability). Moreover, even source code of Python
 modules can contain sensitive data like passwords. Vulnerability
 reported by David Schwörer.
 (cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
 Co-authored-by: Victor Stinner <vstinner@python.org>
 Co-authored-by: Victor Stinner <vstinner@python.org>
 ---
 Lib/pydoc.py                                   | 18 ------------------
 Lib/test/test_pydoc.py                         |  6 ------
 .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst   |  4 ++++
 3 files changed, 4 insertions(+), 24 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
 diff --git a/Lib/pydoc.py b/Lib/pydoc.py
 index 978e4cd0baa5ba..9677c0d0468db0 100644
 --- a/Lib/pydoc.py
 +++ b/Lib/pydoc.py
@@ -2348,9 +2348,6 @@ def page(self, title, contents):
 %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
 </body></html>''' % (title, css_link, html_navbar(), contents)
 -        def filelink(self, url, path):
 -            return '<a href="getfile?key=%s">%s</a>' % (url, path)
 -
     html = _HTMLDoc()
@@ -2436,19 +2433,6 @@ def bltinlink(name):
             'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
         return 'Search Results', contents
 -    def html_getfile(path):
 -        """Get and display a source file listing safely."""
 -        path = urllib.parse.unquote(path)
 -        with tokenize.open(path) as fp:
 -            lines = html.escape(fp.read())
 -        body = '<pre>%s</pre>' % lines
 -        heading = html.heading(
 -            '<big><big><strong>File Listing</strong></big></big>',
 -            '#ffffff', '#7799ee')
 -        contents = heading + html.bigsection(
 -            'File: %s' % path, '#ffffff', '#ee77aa', body)
 -        return 'getfile %s' % path, contents
 -
     def html_topics():
         """Index of topic texts available."""
@@ -2540,8 +2524,6 @@ def get_html_page(url):
                 op, _, url = url.partition('=')
                 if op == "search?key":
                     title, content = html_search(url)
 -                elif op == "getfile?key":
 -                    title, content = html_getfile(url)
                 elif op == "topic?key":
                     # try topics first, then objects.
                     try:
 diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
 index 198cea93eb52d7..baad8212c573dc 100644
 --- a/Lib/test/test_pydoc.py
 +++ b/Lib/test/test_pydoc.py
@@ -1049,18 +1049,12 @@ def test_url_requests(self):
             ("topic?key=def", "Pydoc: KEYWORD def"),
             ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
             ("foobar", "Pydoc: Error - foobar"),
 -            ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
             ]
         with self.restrict_walk_packages():
             for url, title in requests:
                 self.call_url_handler(url, title)
 -            path = string.__file__
 -            title = "Pydoc: getfile " + path
 -            url = "getfile?key=" + path
 -            self.call_url_handler(url, title)
 -
 class TestHelper(unittest.TestCase):
     def test_keywords(self):
 diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
 new file mode 100644
 index 00000000000000..4b42dd05305a83
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
@@ -0,0 +1,4 @@
 +CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
 +could be abused to read arbitrary files on the disk (directory traversal
 +vulnerability). Moreover, even source code of Python modules can contain
 +sensitive data like passwords. Vulnerability reported by David Schwörer.
--- a/python3.spec
+++ b/python3.spec
@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/
 Version: 3.7.9
-Release: 13
+Release: 14
 License: Python
 %global branchversion 3.7
@ -141,6 +141,7 @@ Patch6032:  backport-35823-Allow-setsid-after-vfork-on-Linux.-GH-2294.patch
 Patch6033:  backport-42146-Fix-memory-leak-in-subprocess.Popen-in-cas.patch
 Patch6034:  backport-42146-Unify-cleanup-in-subprocess_fork_exec-GH-2.patch
 patch6035:  backport-Remove-thread-objects-which-finished-process-its-request.patch
 patch6036:  backport-CVE-2021-3426.patch
 Recommends: %{name}-help = %{version}-%{release}
 Provides: python%{branchversion} = %{version}-%{release}
@ -268,6 +269,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch6033 -p1
 %patch6034 -p1
 %patch6035 -p1
 %patch6036 -p1
 sed -i "s/generic_os/%{_vendor}/g" Lib/platform.py
 rm configure pyconfig.h.in
@ -869,6 +871,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*
 %changelog
 * Mon May 31 2021 shixuantong<shixuantong@huawei.com> - 3.7.9-14
 - Type:CVE
 - CVE:CVE-2021-3426
 - SUG:NA
 - DESC:fix CVE-2021-3426
 * Sat May 29 2021 BruceGW<gyl93216@163.com> -3.7.9-13
 - Type:bugfix
 - ID:NA