All of lore.kernel.org
 help / color / mirror / Atom feed
* [dunfell][PATCH] python3: fix CVE-2021-3426
@ 2021-06-21 14:49 Minjae Kim
  2021-06-21 16:07 ` [OE-core] " Steve Sakoman
  0 siblings, 1 reply; 3+ messages in thread
From: Minjae Kim @ 2021-06-21 14:49 UTC (permalink / raw)
  To: openembedded-core; +Cc: Minjae Kim

Remove the pydoc getfile feature

CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.

reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-3426
https://github.com/python/cpython/pull/25015/commits/dc9580949cc82c51022a882ba43dad937ff929a8
---
 .../python/python3/CVE-2021-3426.patch        | 105 ++++++++++++++++++
 meta/recipes-devtools/python/python3_3.8.2.bb |   1 +
 2 files changed, 106 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2021-3426.patch

diff --git a/meta/recipes-devtools/python/python3/CVE-2021-3426.patch b/meta/recipes-devtools/python/python3/CVE-2021-3426.patch
new file mode 100644
index 0000000000..68bd7d9296
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2021-3426.patch
@@ -0,0 +1,105 @@
+From 9b999479c0022edfc9835a8a1f06e046f3881048 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@python.org>
+Date: Mon, 29 Mar 2021 14:40:40 +0200
+Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
+could be abused to read arbitrary files on the disk (directory
+traversal vulnerability). Moreover, even source code of Python
+modules can contain sensitive data like passwords. Vulnerability
+reported by David Schwörer.
+
+Upstream-Status: Acepted
+[https://github.com/python/cpython/pull/25015/commits/dc9580949cc82c51022a882ba43dad937ff929a8]
+CVE: CVE-2021-3426
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+
+---
+ Lib/pydoc.py                                   | 18 ------------------
+ Lib/test/test_pydoc.py                         |  6 ------
+ .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst   |  4 ++++
+ 3 files changed, 4 insertions(+), 24 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+
+diff --git a/Lib/pydoc.py b/Lib/pydoc.py
+index 282a917998..753ea97ba0 100755
+--- a/Lib/pydoc.py
++++ b/Lib/pydoc.py
+@@ -2456,9 +2456,6 @@ def page(self, title, contents):
+ %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
+ </body></html>''' % (title, css_link, html_navbar(), contents)
+ 
+-        def filelink(self, url, path):
+-            return '<a href="getfile?key=%s">%s</a>' % (url, path)
+-
+ 
+     html = _HTMLDoc()
+ 
+@@ -2544,19 +2541,6 @@ def bltinlink(name):
+             'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
+         return 'Search Results', contents
+ 
+-    def html_getfile(path):
+-        """Get and display a source file listing safely."""
+-        path = urllib.parse.unquote(path)
+-        with tokenize.open(path) as fp:
+-            lines = html.escape(fp.read())
+-        body = '<pre>%s</pre>' % lines
+-        heading = html.heading(
+-            '<big><big><strong>File Listing</strong></big></big>',
+-            '#ffffff', '#7799ee')
+-        contents = heading + html.bigsection(
+-            'File: %s' % path, '#ffffff', '#ee77aa', body)
+-        return 'getfile %s' % path, contents
+-
+     def html_topics():
+         """Index of topic texts available."""
+ 
+@@ -2648,8 +2632,6 @@ def get_html_page(url):
+                 op, _, url = url.partition('=')
+                 if op == "search?key":
+                     title, content = html_search(url)
+-                elif op == "getfile?key":
+-                    title, content = html_getfile(url)
+                 elif op == "topic?key":
+                     # try topics first, then objects.
+                     try:
+diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
+index 2f502627f4..3bc0e9e6b5 100644
+--- a/Lib/test/test_pydoc.py
++++ b/Lib/test/test_pydoc.py
+@@ -1374,18 +1374,12 @@ def test_url_requests(self):
+             ("topic?key=def", "Pydoc: KEYWORD def"),
+             ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
+             ("foobar", "Pydoc: Error - foobar"),
+-            ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
+             ]
+ 
+         with self.restrict_walk_packages():
+             for url, title in requests:
+                 self.call_url_handler(url, title)
+ 
+-            path = string.__file__
+-            title = "Pydoc: getfile " + path
+-            url = "getfile?key=" + path
+-            self.call_url_handler(url, title)
+-
+ 
+ class TestHelper(unittest.TestCase):
+     def test_keywords(self):
+diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+new file mode 100644
+index 0000000000..4b42dd0530
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+@@ -0,0 +1,4 @@
++CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
++could be abused to read arbitrary files on the disk (directory traversal
++vulnerability). Moreover, even source code of Python modules can contain
++sensitive data like passwords. Vulnerability reported by David Schwörer.
+-- 
+2.17.1
+
diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.2.bb
index 072ce97472..cbeb599705 100644
--- a/meta/recipes-devtools/python/python3_3.8.2.bb
+++ b/meta/recipes-devtools/python/python3_3.8.2.bb
@@ -39,6 +39,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://CVE-2020-26116.patch \
            file://CVE-2020-27619.patch \
            file://CVE-2021-3177.patch \
+           file://CVE-2021-3426.patch \
            "
 
 SRC_URI_append_class-native = " \
-- 
2.24.3 (Apple Git-128)


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [OE-core] [dunfell][PATCH] python3: fix CVE-2021-3426
  2021-06-21 14:49 [dunfell][PATCH] python3: fix CVE-2021-3426 Minjae Kim
@ 2021-06-21 16:07 ` Steve Sakoman
  2021-06-21 17:22   ` Tim Orling
  0 siblings, 1 reply; 3+ messages in thread
From: Steve Sakoman @ 2021-06-21 16:07 UTC (permalink / raw)
  To: Minjae Kim; +Cc: Patches and discussions about the oe-core layer

Thanks for the patch!

I'm going to wait a bit on merging this because we are evaluating
doing a series of bug fix version bumps for python.  If successful
this CVE would be among those fixed by the version bumps.

Steve

On Mon, Jun 21, 2021 at 4:49 AM Minjae Kim <flowergom@gmail.com> wrote:
>
> Remove the pydoc getfile feature
>
> CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
> could be abused to read arbitrary files on the disk (directory
> traversal vulnerability). Moreover, even source code of Python
> modules can contain sensitive data like passwords. Vulnerability
> reported by David Schwörer.
>
> reference:
> https://nvd.nist.gov/vuln/detail/CVE-2021-3426
> https://github.com/python/cpython/pull/25015/commits/dc9580949cc82c51022a882ba43dad937ff929a8
> ---
>  .../python/python3/CVE-2021-3426.patch        | 105 ++++++++++++++++++
>  meta/recipes-devtools/python/python3_3.8.2.bb |   1 +
>  2 files changed, 106 insertions(+)
>  create mode 100644 meta/recipes-devtools/python/python3/CVE-2021-3426.patch
>
> diff --git a/meta/recipes-devtools/python/python3/CVE-2021-3426.patch b/meta/recipes-devtools/python/python3/CVE-2021-3426.patch
> new file mode 100644
> index 0000000000..68bd7d9296
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3/CVE-2021-3426.patch
> @@ -0,0 +1,105 @@
> +From 9b999479c0022edfc9835a8a1f06e046f3881048 Mon Sep 17 00:00:00 2001
> +From: Victor Stinner <vstinner@python.org>
> +Date: Mon, 29 Mar 2021 14:40:40 +0200
> +Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
> +could be abused to read arbitrary files on the disk (directory
> +traversal vulnerability). Moreover, even source code of Python
> +modules can contain sensitive data like passwords. Vulnerability
> +reported by David Schwörer.
> +
> +Upstream-Status: Acepted
> +[https://github.com/python/cpython/pull/25015/commits/dc9580949cc82c51022a882ba43dad937ff929a8]
> +CVE: CVE-2021-3426
> +Signed-off-by: Minjae Kim <flowergom@gmail.com>
> +
> +---
> + Lib/pydoc.py                                   | 18 ------------------
> + Lib/test/test_pydoc.py                         |  6 ------
> + .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst   |  4 ++++
> + 3 files changed, 4 insertions(+), 24 deletions(-)
> + create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
> +
> +diff --git a/Lib/pydoc.py b/Lib/pydoc.py
> +index 282a917998..753ea97ba0 100755
> +--- a/Lib/pydoc.py
> ++++ b/Lib/pydoc.py
> +@@ -2456,9 +2456,6 @@ def page(self, title, contents):
> + %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
> + </body></html>''' % (title, css_link, html_navbar(), contents)
> +
> +-        def filelink(self, url, path):
> +-            return '<a href="getfile?key=%s">%s</a>' % (url, path)
> +-
> +
> +     html = _HTMLDoc()
> +
> +@@ -2544,19 +2541,6 @@ def bltinlink(name):
> +             'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
> +         return 'Search Results', contents
> +
> +-    def html_getfile(path):
> +-        """Get and display a source file listing safely."""
> +-        path = urllib.parse.unquote(path)
> +-        with tokenize.open(path) as fp:
> +-            lines = html.escape(fp.read())
> +-        body = '<pre>%s</pre>' % lines
> +-        heading = html.heading(
> +-            '<big><big><strong>File Listing</strong></big></big>',
> +-            '#ffffff', '#7799ee')
> +-        contents = heading + html.bigsection(
> +-            'File: %s' % path, '#ffffff', '#ee77aa', body)
> +-        return 'getfile %s' % path, contents
> +-
> +     def html_topics():
> +         """Index of topic texts available."""
> +
> +@@ -2648,8 +2632,6 @@ def get_html_page(url):
> +                 op, _, url = url.partition('=')
> +                 if op == "search?key":
> +                     title, content = html_search(url)
> +-                elif op == "getfile?key":
> +-                    title, content = html_getfile(url)
> +                 elif op == "topic?key":
> +                     # try topics first, then objects.
> +                     try:
> +diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
> +index 2f502627f4..3bc0e9e6b5 100644
> +--- a/Lib/test/test_pydoc.py
> ++++ b/Lib/test/test_pydoc.py
> +@@ -1374,18 +1374,12 @@ def test_url_requests(self):
> +             ("topic?key=def", "Pydoc: KEYWORD def"),
> +             ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
> +             ("foobar", "Pydoc: Error - foobar"),
> +-            ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
> +             ]
> +
> +         with self.restrict_walk_packages():
> +             for url, title in requests:
> +                 self.call_url_handler(url, title)
> +
> +-            path = string.__file__
> +-            title = "Pydoc: getfile " + path
> +-            url = "getfile?key=" + path
> +-            self.call_url_handler(url, title)
> +-
> +
> + class TestHelper(unittest.TestCase):
> +     def test_keywords(self):
> +diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
> +new file mode 100644
> +index 0000000000..4b42dd0530
> +--- /dev/null
> ++++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
> +@@ -0,0 +1,4 @@
> ++CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
> ++could be abused to read arbitrary files on the disk (directory traversal
> ++vulnerability). Moreover, even source code of Python modules can contain
> ++sensitive data like passwords. Vulnerability reported by David Schwörer.
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.2.bb
> index 072ce97472..cbeb599705 100644
> --- a/meta/recipes-devtools/python/python3_3.8.2.bb
> +++ b/meta/recipes-devtools/python/python3_3.8.2.bb
> @@ -39,6 +39,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
>             file://CVE-2020-26116.patch \
>             file://CVE-2020-27619.patch \
>             file://CVE-2021-3177.patch \
> +           file://CVE-2021-3426.patch \
>             "
>
>  SRC_URI_append_class-native = " \
> --
> 2.24.3 (Apple Git-128)
>
>
> 
>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [OE-core] [dunfell][PATCH] python3: fix CVE-2021-3426
  2021-06-21 16:07 ` [OE-core] " Steve Sakoman
@ 2021-06-21 17:22   ` Tim Orling
  0 siblings, 0 replies; 3+ messages in thread
From: Tim Orling @ 2021-06-21 17:22 UTC (permalink / raw)
  To: Steve Sakoman; +Cc: Minjae Kim, Patches and discussions about the oe-core layer

[-- Attachment #1: Type: text/plain, Size: 7185 bytes --]

On Mon, Jun 21, 2021 at 9:07 AM Steve Sakoman <steve@sakoman.com> wrote:

> Thanks for the patch!
>
> I'm going to wait a bit on merging this because we are evaluating
> doing a series of bug fix version bumps for python.  If successful
> this CVE would be among those fixed by the version bumps.
>
>  https://lists.openembedded.org/g/openembedded-core/message/153147

Steve
>
> On Mon, Jun 21, 2021 at 4:49 AM Minjae Kim <flowergom@gmail.com> wrote:
> >
> > Remove the pydoc getfile feature
> >
> > CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
> > could be abused to read arbitrary files on the disk (directory
> > traversal vulnerability). Moreover, even source code of Python
> > modules can contain sensitive data like passwords. Vulnerability
> > reported by David Schwörer.
> >
> > reference:
> > https://nvd.nist.gov/vuln/detail/CVE-2021-3426
> >
> https://github.com/python/cpython/pull/25015/commits/dc9580949cc82c51022a882ba43dad937ff929a8
> > ---
> >  .../python/python3/CVE-2021-3426.patch        | 105 ++++++++++++++++++
> >  meta/recipes-devtools/python/python3_3.8.2.bb |   1 +
> >  2 files changed, 106 insertions(+)
> >  create mode 100644
> meta/recipes-devtools/python/python3/CVE-2021-3426.patch
> >
> > diff --git a/meta/recipes-devtools/python/python3/CVE-2021-3426.patch
> b/meta/recipes-devtools/python/python3/CVE-2021-3426.patch
> > new file mode 100644
> > index 0000000000..68bd7d9296
> > --- /dev/null
> > +++ b/meta/recipes-devtools/python/python3/CVE-2021-3426.patch
> > @@ -0,0 +1,105 @@
> > +From 9b999479c0022edfc9835a8a1f06e046f3881048 Mon Sep 17 00:00:00 2001
> > +From: Victor Stinner <vstinner@python.org>
> > +Date: Mon, 29 Mar 2021 14:40:40 +0200
> > +Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
> > +MIME-Version: 1.0
> > +Content-Type: text/plain; charset=UTF-8
> > +Content-Transfer-Encoding: 8bit
> > +
> > +CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
> > +could be abused to read arbitrary files on the disk (directory
> > +traversal vulnerability). Moreover, even source code of Python
> > +modules can contain sensitive data like passwords. Vulnerability
> > +reported by David Schwörer.
> > +
> > +Upstream-Status: Acepted
> > +[
> https://github.com/python/cpython/pull/25015/commits/dc9580949cc82c51022a882ba43dad937ff929a8
> ]
> > +CVE: CVE-2021-3426
> > +Signed-off-by: Minjae Kim <flowergom@gmail.com>
> > +
> > +---
> > + Lib/pydoc.py                                   | 18 ------------------
> > + Lib/test/test_pydoc.py                         |  6 ------
> > + .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst   |  4 ++++
> > + 3 files changed, 4 insertions(+), 24 deletions(-)
> > + create mode 100644
> Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
> > +
> > +diff --git a/Lib/pydoc.py b/Lib/pydoc.py
> > +index 282a917998..753ea97ba0 100755
> > +--- a/Lib/pydoc.py
> > ++++ b/Lib/pydoc.py
> > +@@ -2456,9 +2456,6 @@ def page(self, title, contents):
> > + %s</head><body bgcolor="#f0f0f8">%s<div
> style="clear:both;padding-top:.5em;">%s</div>
> > + </body></html>''' % (title, css_link, html_navbar(), contents)
> > +
> > +-        def filelink(self, url, path):
> > +-            return '<a href="getfile?key=%s">%s</a>' % (url, path)
> > +-
> > +
> > +     html = _HTMLDoc()
> > +
> > +@@ -2544,19 +2541,6 @@ def bltinlink(name):
> > +             'key = %s' % key, '#ffffff', '#ee77aa',
> '<br>'.join(results))
> > +         return 'Search Results', contents
> > +
> > +-    def html_getfile(path):
> > +-        """Get and display a source file listing safely."""
> > +-        path = urllib.parse.unquote(path)
> > +-        with tokenize.open(path) as fp:
> > +-            lines = html.escape(fp.read())
> > +-        body = '<pre>%s</pre>' % lines
> > +-        heading = html.heading(
> > +-            '<big><big><strong>File Listing</strong></big></big>',
> > +-            '#ffffff', '#7799ee')
> > +-        contents = heading + html.bigsection(
> > +-            'File: %s' % path, '#ffffff', '#ee77aa', body)
> > +-        return 'getfile %s' % path, contents
> > +-
> > +     def html_topics():
> > +         """Index of topic texts available."""
> > +
> > +@@ -2648,8 +2632,6 @@ def get_html_page(url):
> > +                 op, _, url = url.partition('=')
> > +                 if op == "search?key":
> > +                     title, content = html_search(url)
> > +-                elif op == "getfile?key":
> > +-                    title, content = html_getfile(url)
> > +                 elif op == "topic?key":
> > +                     # try topics first, then objects.
> > +                     try:
> > +diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
> > +index 2f502627f4..3bc0e9e6b5 100644
> > +--- a/Lib/test/test_pydoc.py
> > ++++ b/Lib/test/test_pydoc.py
> > +@@ -1374,18 +1374,12 @@ def test_url_requests(self):
> > +             ("topic?key=def", "Pydoc: KEYWORD def"),
> > +             ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
> > +             ("foobar", "Pydoc: Error - foobar"),
> > +-            ("getfile?key=foobar", "Pydoc: Error -
> getfile?key=foobar"),
> > +             ]
> > +
> > +         with self.restrict_walk_packages():
> > +             for url, title in requests:
> > +                 self.call_url_handler(url, title)
> > +
> > +-            path = string.__file__
> > +-            title = "Pydoc: getfile " + path
> > +-            url = "getfile?key=" + path
> > +-            self.call_url_handler(url, title)
> > +-
> > +
> > + class TestHelper(unittest.TestCase):
> > +     def test_keywords(self):
> > +diff --git
> a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
> b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
> > +new file mode 100644
> > +index 0000000000..4b42dd0530
> > +--- /dev/null
> > ++++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
> > +@@ -0,0 +1,4 @@
> > ++CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc`
> module which
> > ++could be abused to read arbitrary files on the disk (directory
> traversal
> > ++vulnerability). Moreover, even source code of Python modules can
> contain
> > ++sensitive data like passwords. Vulnerability reported by David
> Schwörer.
> > +--
> > +2.17.1
> > +
> > diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb
> b/meta/recipes-devtools/python/python3_3.8.2.bb
> > index 072ce97472..cbeb599705 100644
> > --- a/meta/recipes-devtools/python/python3_3.8.2.bb
> > +++ b/meta/recipes-devtools/python/python3_3.8.2.bb
> > @@ -39,6 +39,7 @@ SRC_URI = "
> http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
> >             file://CVE-2020-26116.patch \
> >             file://CVE-2020-27619.patch \
> >             file://CVE-2021-3177.patch \
> > +           file://CVE-2021-3426.patch \
> >             "
> >
> >  SRC_URI_append_class-native = " \
> > --
> > 2.24.3 (Apple Git-128)
> >
> >
> >
> >
>
> 
>
>

[-- Attachment #2: Type: text/html, Size: 10287 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-06-21 17:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-21 14:49 [dunfell][PATCH] python3: fix CVE-2021-3426 Minjae Kim
2021-06-21 16:07 ` [OE-core] " Steve Sakoman
2021-06-21 17:22   ` Tim Orling

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.