diff options
author | Guido van Rossum <guido@python.org> | 2005-02-03 14:58:41 +0000 |
---|---|---|
committer | Guido van Rossum <guido@python.org> | 2005-02-03 14:58:41 +0000 |
commit | d918437126c0fbda82d0bc9c7d24a57e28da79a6 (patch) | |
tree | ca2b0dfd0fdd806a5f4e353bf873619bf53cb221 | |
parent | 5a2cf40b644940c30f9b30d79045b2214a37ea9f (diff) | |
download | cpython-d918437126c0fbda82d0bc9c7d24a57e28da79a6.tar.gz |
Security fix PSF-2005-001 for SimpleXMLRPCServer.py.
-rw-r--r-- | Lib/SimpleXMLRPCServer.py | 32 | ||||
-rw-r--r-- | Misc/NEWS | 4 |
2 files changed, 32 insertions, 4 deletions
diff --git a/Lib/SimpleXMLRPCServer.py b/Lib/SimpleXMLRPCServer.py index 0a9168387a..f184549636 100644 --- a/Lib/SimpleXMLRPCServer.py +++ b/Lib/SimpleXMLRPCServer.py @@ -161,7 +161,8 @@ class SimpleXMLRPCRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): try: func = _resolve_dotted_attribute( self.server.instance, - method + method, + self.allow_dotted_names ) except AttributeError: pass @@ -178,11 +179,20 @@ class SimpleXMLRPCRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): BaseHTTPServer.BaseHTTPRequestHandler.log_request(self, code, size) -def _resolve_dotted_attribute(obj, attr): +def _resolve_dotted_attribute(obj, attr, allow_dotted_names=True): """Resolves a dotted attribute name to an object. Raises an AttributeError if any attribute in the chain starts with a '_'. + + If the optional allow_dotted_names argument is false, dots are not + supported and this function operates similar to getattr(obj, attr). """ - for i in attr.split('.'): + + if allow_dotted_names: + attrs = attr.split('.') + else: + attrs = [attr] + + for i in attrs: if i.startswith('_'): raise AttributeError( 'attempt to access private attribute "%s"' % i @@ -206,7 +216,7 @@ class SimpleXMLRPCServer(SocketServer.TCPServer): self.instance = None SocketServer.TCPServer.__init__(self, addr, requestHandler) - def register_instance(self, instance): + def register_instance(self, instance, allow_dotted_names=False): """Registers an instance to respond to XML-RPC requests. Only one instance can be installed at a time. @@ -225,9 +235,23 @@ class SimpleXMLRPCServer(SocketServer.TCPServer): If a registered function matches a XML-RPC request, then it will be called instead of the registered instance. + + If the optional allow_dotted_names argument is true and the + instance does not have a _dispatch method, method names + containing dots are supported and resolved, as long as none of + the name segments start with an '_'. + + *** SECURITY WARNING: *** + + Enabling the allow_dotted_names options allows intruders + to access your module's global variables and may allow + intruders to execute arbitrary code on your machine. Only + use this option on a secure, closed network. + """ self.instance = instance + self.allow_dotted_names = allow_dotted_names def register_function(self, function, name = None): """Registers a function to respond to XML-RPC requests. @@ -2,6 +2,10 @@ What's New in Python 2.2.4? Release date: XX-XXX-XXXX =========================== +- Applied a security fix to SimpleXMLRPCserver (PSF-2005-001). This + disables recursive traversal through instance attributes, which can + be exploited in various ways. + - Fixed a bug in the cache of length-one Unicode strings that could lead to a seg fault. The specific problem occurred when an earlier, non-fatal error left an uninitialized Unicode object in the |