diff options
| author | Guido van Rossum <guido@python.org> | 2005-02-03 15:01:24 (GMT) |
|---|---|---|
| committer | Guido van Rossum <guido@python.org> | 2005-02-03 15:01:24 (GMT) |
| commit | d06414257966a1551279d68ff3ab16316e459486 (patch) | |
| tree | 4c8a457a30044d6676e222b3b5056b54b45836cf /Doc/lib | |
| parent | 0676dfdce06f6b01f35d76a4fb77c77c03468366 (diff) | |
| download | cpython-d06414257966a1551279d68ff3ab16316e459486.zip cpython-d06414257966a1551279d68ff3ab16316e459486.tar.gz cpython-d06414257966a1551279d68ff3ab16316e459486.tar.bz2 | |
Security fix PSF-2005-001 for SimpleXMLRPCServer.py.
Diffstat (limited to 'Doc/lib')
| -rw-r--r-- | Doc/lib/libsimplexmlrpc.tex | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/Doc/lib/libsimplexmlrpc.tex b/Doc/lib/libsimplexmlrpc.tex index 0170c1a..9297a4e 100644 --- a/Doc/lib/libsimplexmlrpc.tex +++ b/Doc/lib/libsimplexmlrpc.tex @@ -55,7 +55,8 @@ simple, stand alone XML-RPC servers. period character. \end{methoddesc} -\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance} +\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance\optional{, + allow_dotted_names}} Register an object which is used to expose method names which have not been registered using \method{register_function()}. If \var{instance} contains a \method{_dispatch()} method, it is called @@ -67,12 +68,26 @@ simple, stand alone XML-RPC servers. The return value from \method{_dispatch()} is returned to the client as the result. If \var{instance} does not have a \method{_dispatch()} method, it is - searched for an attribute matching the name of the requested method; + searched for an attribute matching the name of the requested method. + + If the optional \var{allow_dotted_names} argument is true and the + instance does not have a \method{_dispatch()} method, then if the requested method name contains periods, each component of the method name is searched for individually, with the effect that a simple hierarchical search is performed. The value found from this search is then called with the parameters from the request, and the return value is passed back to the client. + + \begin{notice}[warning] + Enabling the \var{allow_dotted_names} option allows intruders to access + your module's global variables and may allow intruders to execute + arbitrary code on your machine. Only use this option on a secure, + closed network. + \end{notice} + + \versionchanged[\var{allow_dotted_names} was added to plug a security hole; + prior versions are insecure]{2.3.5, 2.4.1} + \end{methoddesc} \begin{methoddesc}{register_introspection_functions}{} |