Security fix PSF-2005-001 for SimpleXMLRPCServer.py.

2 files changed, 32 insertions, 4 deletions

diff --git a/Lib/SimpleXMLRPCServer.py b/Lib/SimpleXMLRPCServer.py
index 0a9168387a..f184549636 100644
--- a/Lib/SimpleXMLRPCServer.py
+++ b/Lib/SimpleXMLRPCServer.py
@@ -161,7 +161,8 @@ class SimpleXMLRPCRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
                     try:
                         func = _resolve_dotted_attribute(
                             self.server.instance,
-                            method
+                            method,
+                            self.allow_dotted_names
                             )
                     except AttributeError:
                         pass
@@ -178,11 +179,20 @@ class SimpleXMLRPCRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
             BaseHTTPServer.BaseHTTPRequestHandler.log_request(self, code, size)
 
 
-def _resolve_dotted_attribute(obj, attr):
+def _resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
     """Resolves a dotted attribute name to an object.  Raises
     an AttributeError if any attribute in the chain starts with a '_'.
+
+    If the optional allow_dotted_names argument is false, dots are not
+    supported and this function operates similar to getattr(obj, attr).
     """
-    for i in attr.split('.'):
+
+    if allow_dotted_names:
+        attrs = attr.split('.')
+    else:
+        attrs = [attr]
+
+    for i in attrs:
         if i.startswith('_'):
             raise AttributeError(
                 'attempt to access private attribute "%s"' % i
@@ -206,7 +216,7 @@ class SimpleXMLRPCServer(SocketServer.TCPServer):
         self.instance = None
         SocketServer.TCPServer.__init__(self, addr, requestHandler)
 
-    def register_instance(self, instance):
+    def register_instance(self, instance, allow_dotted_names=False):
         """Registers an instance to respond to XML-RPC requests.
 
         Only one instance can be installed at a time.
@@ -225,9 +235,23 @@ class SimpleXMLRPCServer(SocketServer.TCPServer):
 
         If a registered function matches a XML-RPC request, then it
         will be called instead of the registered instance.
+
+        If the optional allow_dotted_names argument is true and the
+        instance does not have a _dispatch method, method names
+        containing dots are supported and resolved, as long as none of
+        the name segments start with an '_'.
+
+            *** SECURITY WARNING: ***
+
+            Enabling the allow_dotted_names options allows intruders
+            to access your module's global variables and may allow
+            intruders to execute arbitrary code on your machine.  Only
+            use this option on a secure, closed network.
+
         """
 
         self.instance = instance
+        self.allow_dotted_names = allow_dotted_names
 
     def register_function(self, function, name = None):
         """Registers a function to respond to XML-RPC requests.
diff --git a/Misc/NEWS b/Misc/NEWS
index ecf9f45e2c..4f1e057213 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -2,6 +2,10 @@ What's New in Python 2.2.4?
 Release date: XX-XXX-XXXX
 ===========================
 
+- Applied a security fix to SimpleXMLRPCserver (PSF-2005-001).  This
+  disables recursive traversal through instance attributes, which can
+  be exploited in various ways.
+
 - Fixed a bug in the cache of length-one Unicode strings that could
   lead to a seg fault.  The specific problem occurred when an earlier,
   non-fatal error left an uninitialized Unicode object in the