[Bug #1473048]

SimpleXMLRPCServer and DocXMLRPCServer don't look at
the path of the HTTP request at all; you can POST or
GET from / or /RPC2 or /blahblahblah with the same results.
Security scanners that look for /cgi-bin/phf will therefore report
lots of vulnerabilities.

Fix: add a .rpc_paths attribute to the SimpleXMLRPCServer class,
and report a 404 error if the path isn't on the allowed list.

Possibly-controversial aspect of this change: the default makes only
'/' and '/RPC2' legal.  Maybe this will break people's applications
(though I doubt it).  We could just set the default to an empty tuple,
which would exactly match the current behaviour.

1 files changed, 9 insertions, 0 deletions

diff --git a/Doc/lib/libsimplexmlrpc.tex b/Doc/lib/libsimplexmlrpc.tex
index a25cabf..7a97861 100644
--- a/Doc/lib/libsimplexmlrpc.tex
+++ b/Doc/lib/libsimplexmlrpc.tex
@@ -111,6 +111,15 @@ simple, stand alone XML-RPC servers.
   Registers the XML-RPC multicall function system.multicall.
 \end{methoddesc}
 
+\begin{memberdesc}[SimpleXMLRPCServer]{rpc_paths}
+An attribute value that must be a tuple listing valid path portions of
+the URL for receiving XML-RPC requests.  Requests posted to other
+paths will result in a 404 ``no such page'' HTTP error.  If this
+tuple is empty, all paths will be considered valid.
+The default value is \code{('/', '/RPC2')}.
+  \versionadded{2.5}
+\end{memberdesc}
+
 Example:
 
 \begin{verbatim}