diff options
author | Guido van Rossum <guido@python.org> | 2005-02-03 15:01:24 (GMT) |
---|---|---|
committer | Guido van Rossum <guido@python.org> | 2005-02-03 15:01:24 (GMT) |
commit | d06414257966a1551279d68ff3ab16316e459486 (patch) | |
tree | 4c8a457a30044d6676e222b3b5056b54b45836cf /Lib | |
parent | 0676dfdce06f6b01f35d76a4fb77c77c03468366 (diff) | |
download | cpython-d06414257966a1551279d68ff3ab16316e459486.zip cpython-d06414257966a1551279d68ff3ab16316e459486.tar.gz cpython-d06414257966a1551279d68ff3ab16316e459486.tar.bz2 |
Security fix PSF-2005-001 for SimpleXMLRPCServer.py.
Diffstat (limited to 'Lib')
-rw-r--r-- | Lib/SimpleXMLRPCServer.py | 34 |
1 files changed, 29 insertions, 5 deletions
diff --git a/Lib/SimpleXMLRPCServer.py b/Lib/SimpleXMLRPCServer.py index 68a20ef..315ce84 100644 --- a/Lib/SimpleXMLRPCServer.py +++ b/Lib/SimpleXMLRPCServer.py @@ -106,14 +106,22 @@ import BaseHTTPServer import sys import os -def resolve_dotted_attribute(obj, attr): +def resolve_dotted_attribute(obj, attr, allow_dotted_names=True): """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d Resolves a dotted attribute name to an object. Raises an AttributeError if any attribute in the chain starts with a '_'. + + If the optional allow_dotted_names argument is false, dots are not + supported and this function operates similar to getattr(obj, attr). """ - for i in attr.split('.'): + if allow_dotted_names: + attrs = attr.split('.') + else: + attrs = [attr] + + for i in attrs: if i.startswith('_'): raise AttributeError( 'attempt to access private attribute "%s"' % i @@ -155,7 +163,7 @@ class SimpleXMLRPCDispatcher: self.funcs = {} self.instance = None - def register_instance(self, instance): + def register_instance(self, instance, allow_dotted_names=False): """Registers an instance to respond to XML-RPC requests. Only one instance can be installed at a time. @@ -173,9 +181,23 @@ class SimpleXMLRPCDispatcher: If a registered function matches a XML-RPC request, then it will be called instead of the registered instance. + + If the optional allow_dotted_names argument is true and the + instance does not have a _dispatch method, method names + containing dots are supported and resolved, as long as none of + the name segments start with an '_'. + + *** SECURITY WARNING: *** + + Enabling the allow_dotted_names options allows intruders + to access your module's global variables and may allow + intruders to execute arbitrary code on your machine. Only + use this option on a secure, closed network. + """ self.instance = instance + self.allow_dotted_names = allow_dotted_names def register_function(self, function, name = None): """Registers a function to respond to XML-RPC requests. @@ -294,7 +316,8 @@ class SimpleXMLRPCDispatcher: try: method = resolve_dotted_attribute( self.instance, - method_name + method_name, + self.allow_dotted_names ) except AttributeError: pass @@ -373,7 +396,8 @@ class SimpleXMLRPCDispatcher: try: func = resolve_dotted_attribute( self.instance, - method + method, + self.allow_dotted_names ) except AttributeError: pass |