diff options
author | Guido van Rossum <guido@python.org> | 2005-02-03 14:59:43 +0000 |
---|---|---|
committer | Guido van Rossum <guido@python.org> | 2005-02-03 14:59:43 +0000 |
commit | 018a548f00969d8ddcf4764d43ddaf7179a688cb (patch) | |
tree | ecca80025350e783c9a62a80143600e4f2358657 | |
parent | 392b2cb4bc02676f698e1a68d4351bb5b93c6569 (diff) | |
download | cpython-git-018a548f00969d8ddcf4764d43ddaf7179a688cb.tar.gz |
Security fix PSF-2005-001 for SimpleXMLRPCServer.py.
-rw-r--r-- | Doc/lib/libsimplexmlrpc.tex | 19 | ||||
-rw-r--r-- | Lib/SimpleXMLRPCServer.py | 34 | ||||
-rw-r--r-- | Misc/NEWS | 9 |
3 files changed, 55 insertions, 7 deletions
diff --git a/Doc/lib/libsimplexmlrpc.tex b/Doc/lib/libsimplexmlrpc.tex index f9afce0e18..503f2469de 100644 --- a/Doc/lib/libsimplexmlrpc.tex +++ b/Doc/lib/libsimplexmlrpc.tex @@ -55,19 +55,34 @@ simple, stand alone XML-RPC servers. period character. \end{methoddesc} -\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance} +\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance\optional{, + allow_dotted_names}} Register an object which is used to expose method names which have not been registered using \method{register_function()}. If \var{instance} contains a \method{_dispatch()} method, it is called with the requested method name and the parameters from the request; the return value is returned to the client as the result. If \var{instance} does not have a \method{_dispatch()} method, it is - searched for an attribute matching the name of the requested method; + searched for an attribute matching the name of the requested method. + + If the optional \var{allow_dotted_names} argument is true and the + instance does not have a \method{_dispatch()} method, then if the requested method name contains periods, each component of the method name is searched for individually, with the effect that a simple hierarchical search is performed. The value found from this search is then called with the parameters from the request, and the return value is passed back to the client. + + \begin{notice}[warning] + Enabling the \var{allow_dotted_names} option allows intruders to access + your module's global variables and may allow intruders to execute + arbitrary code on your machine. Only use this option on a secure, + closed network. + \end{notice} + + \versionchanged[\var{allow_dotted_names} was added to plug a security hole; + prior versions are insecure]{2.3.5, 2.4.1} + \end{methoddesc} \begin{methoddesc}{register_introspection_functions}{} diff --git a/Lib/SimpleXMLRPCServer.py b/Lib/SimpleXMLRPCServer.py index 892a61e273..3cc75da906 100644 --- a/Lib/SimpleXMLRPCServer.py +++ b/Lib/SimpleXMLRPCServer.py @@ -107,14 +107,22 @@ import sys import types import os -def resolve_dotted_attribute(obj, attr): +def resolve_dotted_attribute(obj, attr, allow_dotted_names=True): """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d Resolves a dotted attribute name to an object. Raises an AttributeError if any attribute in the chain starts with a '_'. + + If the optional allow_dotted_names argument is false, dots are not + supported and this function operates similar to getattr(obj, attr). """ - for i in attr.split('.'): + if allow_dotted_names: + attrs = attr.split('.') + else: + attrs = [attr] + + for i in attrs: if i.startswith('_'): raise AttributeError( 'attempt to access private attribute "%s"' % i @@ -156,7 +164,7 @@ class SimpleXMLRPCDispatcher: self.funcs = {} self.instance = None - def register_instance(self, instance): + def register_instance(self, instance, allow_dotted_names=False): """Registers an instance to respond to XML-RPC requests. Only one instance can be installed at a time. @@ -174,9 +182,23 @@ class SimpleXMLRPCDispatcher: If a registered function matches a XML-RPC request, then it will be called instead of the registered instance. + + If the optional allow_dotted_names argument is true and the + instance does not have a _dispatch method, method names + containing dots are supported and resolved, as long as none of + the name segments start with an '_'. + + *** SECURITY WARNING: *** + + Enabling the allow_dotted_names options allows intruders + to access your module's global variables and may allow + intruders to execute arbitrary code on your machine. Only + use this option on a secure, closed network. + """ self.instance = instance + self.allow_dotted_names = allow_dotted_names def register_function(self, function, name = None): """Registers a function to respond to XML-RPC requests. @@ -295,7 +317,8 @@ class SimpleXMLRPCDispatcher: try: method = resolve_dotted_attribute( self.instance, - method_name + method_name, + self.allow_dotted_names ) except AttributeError: pass @@ -374,7 +397,8 @@ class SimpleXMLRPCDispatcher: try: func = resolve_dotted_attribute( self.instance, - method + method, + self.allow_dotted_names ) except AttributeError: pass @@ -11,8 +11,17 @@ What's New in Python 2.3.5? Core and builtins ----------------- + - Partially revert the fix for #1074011; don't try to fflush stdin anymore. +Library +------- + +- Applied a security fix to SimpleXMLRPCserver (PSF-2005-001). This + disables recursive traversal through instance attributes, which can + be exploited in various ways. + + What's New in Python 2.3.5rc1? ============================== |