| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
| |
(This code is duplicated between pydoc and DocXMLRPCServer; maybe it
should be refactored as a GHOP project.)
2.5.2 backport candidate.
|
| |
|
|
|
|
|
|
| |
* remove parameter default that didn't make sense
* properly escape values in output
Thanks to Jeff Wheeler from GHOP!
|
|
|
|
| |
and server_activate() in the constructors for TCPServer, SimpleXMLRPCServer and DocXMLRPCServer.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SimpleXMLRPCServer and DocXMLRPCServer don't look at
the path of the HTTP request at all; you can POST or
GET from / or /RPC2 or /blahblahblah with the same results.
Security scanners that look for /cgi-bin/phf will therefore report
lots of vulnerabilities.
Fix: add a .rpc_paths attribute to the SimpleXMLRPCServer class,
and report a 404 error if the path isn't on the allowed list.
Possibly-controversial aspect of this change: the default makes only
'/' and '/RPC2' legal. Maybe this will break people's applications
(though I doubt it). We could just set the default to an empty tuple,
which would exactly match the current behaviour.
|
| |
|
| |
|
| |
|
| |
|
|
|