From d06414257966a1551279d68ff3ab16316e459486 Mon Sep 17 00:00:00 2001 From: Guido van Rossum Date: Thu, 3 Feb 2005 15:01:24 +0000 Subject: Security fix PSF-2005-001 for SimpleXMLRPCServer.py. --- Doc/lib/libsimplexmlrpc.tex | 19 +++++++++++++++++-- Lib/SimpleXMLRPCServer.py | 34 +++++++++++++++++++++++++++++----- Misc/NEWS | 4 ++++ 3 files changed, 50 insertions(+), 7 deletions(-) diff --git a/Doc/lib/libsimplexmlrpc.tex b/Doc/lib/libsimplexmlrpc.tex index 0170c1a..9297a4e 100644 --- a/Doc/lib/libsimplexmlrpc.tex +++ b/Doc/lib/libsimplexmlrpc.tex @@ -55,7 +55,8 @@ simple, stand alone XML-RPC servers. period character. \end{methoddesc} -\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance} +\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance\optional{, + allow_dotted_names}} Register an object which is used to expose method names which have not been registered using \method{register_function()}. If \var{instance} contains a \method{_dispatch()} method, it is called @@ -67,12 +68,26 @@ simple, stand alone XML-RPC servers. The return value from \method{_dispatch()} is returned to the client as the result. If \var{instance} does not have a \method{_dispatch()} method, it is - searched for an attribute matching the name of the requested method; + searched for an attribute matching the name of the requested method. + + If the optional \var{allow_dotted_names} argument is true and the + instance does not have a \method{_dispatch()} method, then if the requested method name contains periods, each component of the method name is searched for individually, with the effect that a simple hierarchical search is performed. The value found from this search is then called with the parameters from the request, and the return value is passed back to the client. + + \begin{notice}[warning] + Enabling the \var{allow_dotted_names} option allows intruders to access + your module's global variables and may allow intruders to execute + arbitrary code on your machine. Only use this option on a secure, + closed network. + \end{notice} + + \versionchanged[\var{allow_dotted_names} was added to plug a security hole; + prior versions are insecure]{2.3.5, 2.4.1} + \end{methoddesc} \begin{methoddesc}{register_introspection_functions}{} diff --git a/Lib/SimpleXMLRPCServer.py b/Lib/SimpleXMLRPCServer.py index 68a20ef..315ce84 100644 --- a/Lib/SimpleXMLRPCServer.py +++ b/Lib/SimpleXMLRPCServer.py @@ -106,14 +106,22 @@ import BaseHTTPServer import sys import os -def resolve_dotted_attribute(obj, attr): +def resolve_dotted_attribute(obj, attr, allow_dotted_names=True): """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d Resolves a dotted attribute name to an object. Raises an AttributeError if any attribute in the chain starts with a '_'. + + If the optional allow_dotted_names argument is false, dots are not + supported and this function operates similar to getattr(obj, attr). """ - for i in attr.split('.'): + if allow_dotted_names: + attrs = attr.split('.') + else: + attrs = [attr] + + for i in attrs: if i.startswith('_'): raise AttributeError( 'attempt to access private attribute "%s"' % i @@ -155,7 +163,7 @@ class SimpleXMLRPCDispatcher: self.funcs = {} self.instance = None - def register_instance(self, instance): + def register_instance(self, instance, allow_dotted_names=False): """Registers an instance to respond to XML-RPC requests. Only one instance can be installed at a time. @@ -173,9 +181,23 @@ class SimpleXMLRPCDispatcher: If a registered function matches a XML-RPC request, then it will be called instead of the registered instance. + + If the optional allow_dotted_names argument is true and the + instance does not have a _dispatch method, method names + containing dots are supported and resolved, as long as none of + the name segments start with an '_'. + + *** SECURITY WARNING: *** + + Enabling the allow_dotted_names options allows intruders + to access your module's global variables and may allow + intruders to execute arbitrary code on your machine. Only + use this option on a secure, closed network. + """ self.instance = instance + self.allow_dotted_names = allow_dotted_names def register_function(self, function, name = None): """Registers a function to respond to XML-RPC requests. @@ -294,7 +316,8 @@ class SimpleXMLRPCDispatcher: try: method = resolve_dotted_attribute( self.instance, - method_name + method_name, + self.allow_dotted_names ) except AttributeError: pass @@ -373,7 +396,8 @@ class SimpleXMLRPCDispatcher: try: func = resolve_dotted_attribute( self.instance, - method + method, + self.allow_dotted_names ) except AttributeError: pass diff --git a/Misc/NEWS b/Misc/NEWS index 926ac52..42a5abc 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -47,6 +47,10 @@ Extension Modules Library ------- +- Applied a security fix to SimpleXMLRPCserver (PSF-2005-001). This + disables recursive traversal through instance attributes, which can + be exploited in various ways. + - Bug #1110478: Revert os.environ.update to do putenv again. - Bug #1103844: fix distutils.install.dump_dirs() with negated options. -- cgit v0.12