2cefade65d
http://www.python.org/security/PSF-2005-001/ This disables hierarchical object lookups in SimpleXMLRPCServer. Unfortunately, this breaks some applications (eg kenosis). Don't shoot me for this. bump PKGREVISION
70 lines
2.7 KiB
Text
70 lines
2.7 KiB
Text
$NetBSD: patch-an,v 1.1 2005/02/04 15:39:04 drochner Exp $
|
|
|
|
--- Lib/SimpleXMLRPCServer.py.orig 2001-09-29 06:54:33.000000000 +0200
|
|
+++ Lib/SimpleXMLRPCServer.py
|
|
@@ -161,7 +161,8 @@ class SimpleXMLRPCRequestHandler(BaseHTT
|
|
try:
|
|
func = _resolve_dotted_attribute(
|
|
self.server.instance,
|
|
- method
|
|
+ method,
|
|
+ self.allow_dotted_names
|
|
)
|
|
except AttributeError:
|
|
pass
|
|
@@ -178,11 +179,20 @@ class SimpleXMLRPCRequestHandler(BaseHTT
|
|
BaseHTTPServer.BaseHTTPRequestHandler.log_request(self, code, size)
|
|
|
|
|
|
-def _resolve_dotted_attribute(obj, attr):
|
|
+def _resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
|
|
"""Resolves a dotted attribute name to an object. Raises
|
|
an AttributeError if any attribute in the chain starts with a '_'.
|
|
+
|
|
+ If the optional allow_dotted_names argument is false, dots are not
|
|
+ supported and this function operates similar to getattr(obj, attr).
|
|
"""
|
|
- for i in attr.split('.'):
|
|
+
|
|
+ if allow_dotted_names:
|
|
+ attrs = attr.split('.')
|
|
+ else:
|
|
+ attrs = [attr]
|
|
+
|
|
+ for i in attrs:
|
|
if i.startswith('_'):
|
|
raise AttributeError(
|
|
'attempt to access private attribute "%s"' % i
|
|
@@ -206,7 +216,7 @@ class SimpleXMLRPCServer(SocketServer.TC
|
|
self.instance = None
|
|
SocketServer.TCPServer.__init__(self, addr, requestHandler)
|
|
|
|
- def register_instance(self, instance):
|
|
+ def register_instance(self, instance, allow_dotted_names=False):
|
|
"""Registers an instance to respond to XML-RPC requests.
|
|
|
|
Only one instance can be installed at a time.
|
|
@@ -225,9 +235,23 @@ class SimpleXMLRPCServer(SocketServer.TC
|
|
|
|
If a registered function matches a XML-RPC request, then it
|
|
will be called instead of the registered instance.
|
|
+
|
|
+ If the optional allow_dotted_names argument is true and the
|
|
+ instance does not have a _dispatch method, method names
|
|
+ containing dots are supported and resolved, as long as none of
|
|
+ the name segments start with an '_'.
|
|
+
|
|
+ *** SECURITY WARNING: ***
|
|
+
|
|
+ Enabling the allow_dotted_names options allows intruders
|
|
+ to access your module's global variables and may allow
|
|
+ intruders to execute arbitrary code on your machine. Only
|
|
+ use this option on a secure, closed network.
|
|
+
|
|
"""
|
|
|
|
self.instance = instance
|
|
+ self.allow_dotted_names = allow_dotted_names
|
|
|
|
def register_function(self, function, name = None):
|
|
"""Registers a function to respond to XML-RPC requests.
|