Security fix PSF-2005-001 for SimpleXMLRPCServer.py.

3 files changed, 55 insertions, 7 deletions

diff --git a/Doc/lib/libsimplexmlrpc.tex b/Doc/lib/libsimplexmlrpc.tex
index f9afce0e18..503f2469de 100644
--- a/Doc/lib/libsimplexmlrpc.tex
+++ b/Doc/lib/libsimplexmlrpc.tex
@@ -55,19 +55,34 @@ simple, stand alone XML-RPC servers.
   period character.
 \end{methoddesc}
 
-\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance}
+\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance\optional{,
+                                       allow_dotted_names}}
   Register an object which is used to expose method names which have
   not been registered using \method{register_function()}.  If
   \var{instance} contains a \method{_dispatch()} method, it is called
   with the requested method name and the parameters from the request;
   the return value is returned to the client as the result.  If
   \var{instance} does not have a \method{_dispatch()} method, it is
-  searched for an attribute matching the name of the requested method;
+  searched for an attribute matching the name of the requested method.
+
+  If the optional \var{allow_dotted_names} argument is true and the
+  instance does not have a \method{_dispatch()} method, then
   if the requested method name contains periods, each component of the
   method name is searched for individually, with the effect that a
   simple hierarchical search is performed.  The value found from this
   search is then called with the parameters from the request, and the
   return value is passed back to the client.
+
+  \begin{notice}[warning]
+  Enabling the \var{allow_dotted_names} option allows intruders to access
+  your module's global variables and may allow intruders to execute
+  arbitrary code on your machine.  Only use this option on a secure,
+  closed network.
+  \end{notice}
+
+  \versionchanged[\var{allow_dotted_names} was added to plug a security hole;
+  prior versions are insecure]{2.3.5, 2.4.1}
+
 \end{methoddesc}
 
 \begin{methoddesc}{register_introspection_functions}{}
diff --git a/Lib/SimpleXMLRPCServer.py b/Lib/SimpleXMLRPCServer.py
index 892a61e273..3cc75da906 100644
--- a/Lib/SimpleXMLRPCServer.py
+++ b/Lib/SimpleXMLRPCServer.py
@@ -107,14 +107,22 @@ import sys
 import types
 import os
 
-def resolve_dotted_attribute(obj, attr):
+def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
     """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
 
     Resolves a dotted attribute name to an object.  Raises
     an AttributeError if any attribute in the chain starts with a '_'.
+
+    If the optional allow_dotted_names argument is false, dots are not
+    supported and this function operates similar to getattr(obj, attr).
     """
 
-    for i in attr.split('.'):
+    if allow_dotted_names:
+        attrs = attr.split('.')
+    else:
+        attrs = [attr]
+
+    for i in attrs:
         if i.startswith('_'):
             raise AttributeError(
                 'attempt to access private attribute "%s"' % i
@@ -156,7 +164,7 @@ class SimpleXMLRPCDispatcher:
         self.funcs = {}
         self.instance = None
 
-    def register_instance(self, instance):
+    def register_instance(self, instance, allow_dotted_names=False):
         """Registers an instance to respond to XML-RPC requests.
 
         Only one instance can be installed at a time.
@@ -174,9 +182,23 @@ class SimpleXMLRPCDispatcher:
 
         If a registered function matches a XML-RPC request, then it
         will be called instead of the registered instance.
+
+        If the optional allow_dotted_names argument is true and the
+        instance does not have a _dispatch method, method names
+        containing dots are supported and resolved, as long as none of
+        the name segments start with an '_'.
+
+            *** SECURITY WARNING: ***
+
+            Enabling the allow_dotted_names options allows intruders
+            to access your module's global variables and may allow
+            intruders to execute arbitrary code on your machine.  Only
+            use this option on a secure, closed network.
+
         """
 
         self.instance = instance
+        self.allow_dotted_names = allow_dotted_names
 
     def register_function(self, function, name = None):
         """Registers a function to respond to XML-RPC requests.
@@ -295,7 +317,8 @@ class SimpleXMLRPCDispatcher:
                 try:
                     method = resolve_dotted_attribute(
                                 self.instance,
-                                method_name
+                                method_name,
+                                self.allow_dotted_names
                                 )
                 except AttributeError:
                     pass
@@ -374,7 +397,8 @@ class SimpleXMLRPCDispatcher:
                     try:
                         func = resolve_dotted_attribute(
                             self.instance,
-                            method
+                            method,
+                            self.allow_dotted_names
                             )
                     except AttributeError:
                         pass
diff --git a/Misc/NEWS b/Misc/NEWS
index 24af10ae47..d320877fb5 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -11,8 +11,17 @@ What's New in Python 2.3.5?
 
 Core and builtins
 -----------------
+
 - Partially revert the fix for #1074011; don't try to fflush stdin anymore.
 
+Library
+-------
+
+- Applied a security fix to SimpleXMLRPCserver (PSF-2005-001).  This
+  disables recursive traversal through instance attributes, which can
+  be exploited in various ways.
+
+
 What's New in Python 2.3.5rc1?
 ==============================