[Bug #1473048]

SimpleXMLRPCServer and DocXMLRPCServer don't look at the path of the HTTP request at all; you can POST or GET from / or /RPC2 or /blahblahblah with the same results. Security scanners that look for /cgi-bin/phf will therefore report lots of vulnerabilities. Fix: add a .rpc_paths attribute to the SimpleXMLRPCServer class, and report a 404 error if the path isn't on the allowed list. Possibly-controversial aspect of this change: the default makes only '/' and '/RPC2' legal. Maybe this will break people's applications (though I doubt it). We could just set the default to an empty tuple, which would exactly match the current behaviour.
author: Andrew M. Kuchling <amk@amk.ca> 2006-05-31 14:08:48 +0000
committer: Andrew M. Kuchling <amk@amk.ca> 2006-05-31 14:08:48 +0000
commit: 5142c4dc0d5dba3a8c09391e9e752e27f3fd0c48 (patch)
tree: 44897b8a64d6f03c1796c4fb3f17b9dfecf1bf4d /Lib/DocXMLRPCServer.py
parent: a62a18437fa5e5646db0304f4fac43cd487a934e (diff)
download: cpython-5142c4dc0d5dba3a8c09391e9e752e27f3fd0c48.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py
index 259fb18b86..86ed32b6fc 100644
--- a/Lib/DocXMLRPCServer.py
+++ b/Lib/DocXMLRPCServer.py
@@ -227,6 +227,10 @@ class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
         Interpret all HTTP GET requests as requests for server
         documentation.
         """
+        # Check that the path is legal
+        if not self.is_rpc_path_valid():
+            self.report_404()
+            return
 
         response = self.server.generate_html_documentation()
         self.send_response(200)
author	Andrew M. Kuchling <amk@amk.ca>	2006-05-31 14:08:48 +0000
committer	Andrew M. Kuchling <amk@amk.ca>	2006-05-31 14:08:48 +0000
commit	5142c4dc0d5dba3a8c09391e9e752e27f3fd0c48 (patch)
tree	44897b8a64d6f03c1796c4fb3f17b9dfecf1bf4d /Lib/DocXMLRPCServer.py
parent	a62a18437fa5e5646db0304f4fac43cd487a934e (diff)
download	cpython-5142c4dc0d5dba3a8c09391e9e752e27f3fd0c48.tar.gz