Add pydoc bpo-42988

vstinner · Mar 10, 2021 · 96d9edb · 96d9edb
1 parent f514905
commit 96d9edb
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/bugs.txt b/bugs.txt
@@ -324,3 +324,8 @@
     date: 2021-01-19.15:06:48.939
     title: '[CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - semicolon
         as a query args separator'
+42988:
+    author: "Miro Hron\u010Dok"
+    date: 2021-01-21.12:18:37.585
+    title: '[security] Information disclosure via pydoc -p: /getfile?key=path allows
+        to read arbitrary file on the filesystem'
diff --git a/vulnerabilities.yaml b/vulnerabilities.yaml
@@ -1666,3 +1666,12 @@
 
     The fix is to only use ampersands ``&`` as separators, and add a
     *separator* parameter to chose the separator characters.
+
+- name: "Information disclosure via pydoc getfile"
+  slug: pydoc-getfile
+  bpo: 42988
+  description: |
+    Running "pydoc -p" allows other local users to extract arbitrary files.
+
+    The "/getfile?key=path" URL allows to read arbitrary file on the
+    filesystem.