summaryrefslogtreecommitdiffstats
path: root/Lib
diff options
context:
space:
mode:
authorGuido van Rossum <guido@python.org>2005-02-03 15:01:24 (GMT)
committerGuido van Rossum <guido@python.org>2005-02-03 15:01:24 (GMT)
commitd06414257966a1551279d68ff3ab16316e459486 (patch)
tree4c8a457a30044d6676e222b3b5056b54b45836cf /Lib
parent0676dfdce06f6b01f35d76a4fb77c77c03468366 (diff)
downloadcpython-d06414257966a1551279d68ff3ab16316e459486.zip
cpython-d06414257966a1551279d68ff3ab16316e459486.tar.gz
cpython-d06414257966a1551279d68ff3ab16316e459486.tar.bz2
Security fix PSF-2005-001 for SimpleXMLRPCServer.py.
Diffstat (limited to 'Lib')
-rw-r--r--Lib/SimpleXMLRPCServer.py34
1 files changed, 29 insertions, 5 deletions
diff --git a/Lib/SimpleXMLRPCServer.py b/Lib/SimpleXMLRPCServer.py
index 68a20ef..315ce84 100644
--- a/Lib/SimpleXMLRPCServer.py
+++ b/Lib/SimpleXMLRPCServer.py
@@ -106,14 +106,22 @@ import BaseHTTPServer
import sys
import os
-def resolve_dotted_attribute(obj, attr):
+def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
"""resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
Resolves a dotted attribute name to an object. Raises
an AttributeError if any attribute in the chain starts with a '_'.
+
+ If the optional allow_dotted_names argument is false, dots are not
+ supported and this function operates similar to getattr(obj, attr).
"""
- for i in attr.split('.'):
+ if allow_dotted_names:
+ attrs = attr.split('.')
+ else:
+ attrs = [attr]
+
+ for i in attrs:
if i.startswith('_'):
raise AttributeError(
'attempt to access private attribute "%s"' % i
@@ -155,7 +163,7 @@ class SimpleXMLRPCDispatcher:
self.funcs = {}
self.instance = None
- def register_instance(self, instance):
+ def register_instance(self, instance, allow_dotted_names=False):
"""Registers an instance to respond to XML-RPC requests.
Only one instance can be installed at a time.
@@ -173,9 +181,23 @@ class SimpleXMLRPCDispatcher:
If a registered function matches a XML-RPC request, then it
will be called instead of the registered instance.
+
+ If the optional allow_dotted_names argument is true and the
+ instance does not have a _dispatch method, method names
+ containing dots are supported and resolved, as long as none of
+ the name segments start with an '_'.
+
+ *** SECURITY WARNING: ***
+
+ Enabling the allow_dotted_names options allows intruders
+ to access your module's global variables and may allow
+ intruders to execute arbitrary code on your machine. Only
+ use this option on a secure, closed network.
+
"""
self.instance = instance
+ self.allow_dotted_names = allow_dotted_names
def register_function(self, function, name = None):
"""Registers a function to respond to XML-RPC requests.
@@ -294,7 +316,8 @@ class SimpleXMLRPCDispatcher:
try:
method = resolve_dotted_attribute(
self.instance,
- method_name
+ method_name,
+ self.allow_dotted_names
)
except AttributeError:
pass
@@ -373,7 +396,8 @@ class SimpleXMLRPCDispatcher:
try:
func = resolve_dotted_attribute(
self.instance,
- method
+ method,
+ self.allow_dotted_names
)
except AttributeError:
pass