[Python-checkins] python/dist/src/Lib SimpleXMLRPCServer.py, 1.7.8.1, 1.7.8.2

gvanrossum at users.sourceforge.net gvanrossum at users.sourceforge.net
Thu Feb 3 15:59:47 CET 2005

• Previous message: [Python-checkins] python/dist/src/Doc/lib libsimplexmlrpc.tex, 1.5.14.1, 1.5.14.2
• Next message: [Python-checkins] python/dist/src/Misc NEWS, 1.831.4.166, 1.831.4.167
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Update of /cvsroot/python/python/dist/src/Lib
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv14953/Lib
Modified Files:
 Tag: release23-maint
	SimpleXMLRPCServer.py 
Log Message:
Security fix PSF-2005-001 for SimpleXMLRPCServer.py.
Index: SimpleXMLRPCServer.py
===================================================================
RCS file: /cvsroot/python/python/dist/src/Lib/SimpleXMLRPCServer.py,v
retrieving revision 1.7.8.1
retrieving revision 1.7.8.2
diff -u -d -r1.7.8.1 -r1.7.8.2
--- SimpleXMLRPCServer.py	3 Oct 2004 23:23:00 -0000	1.7.8.1
+++ SimpleXMLRPCServer.py	3 Feb 2005 14:59:43 -0000	1.7.8.2
@@ -107,14 +107,22 @@
 import types
 import os
 
-def resolve_dotted_attribute(obj, attr):
+def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
 """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
 
 Resolves a dotted attribute name to an object. Raises
 an AttributeError if any attribute in the chain starts with a '_'.
+
+ If the optional allow_dotted_names argument is false, dots are not
+ supported and this function operates similar to getattr(obj, attr).
 """
 
- for i in attr.split('.'):
+ if allow_dotted_names:
+ attrs = attr.split('.')
+ else:
+ attrs = [attr]
+
+ for i in attrs:
 if i.startswith('_'):
 raise AttributeError(
 'attempt to access private attribute "%s"' % i
@@ -156,7 +164,7 @@
 self.funcs = {}
 self.instance = None
 
- def register_instance(self, instance):
+ def register_instance(self, instance, allow_dotted_names=False):
 """Registers an instance to respond to XML-RPC requests.
 
 Only one instance can be installed at a time.
@@ -174,9 +182,23 @@
 
 If a registered function matches a XML-RPC request, then it
 will be called instead of the registered instance.
+
+ If the optional allow_dotted_names argument is true and the
+ instance does not have a _dispatch method, method names
+ containing dots are supported and resolved, as long as none of
+ the name segments start with an '_'.
+
+ *** SECURITY WARNING: ***
+
+ Enabling the allow_dotted_names options allows intruders
+ to access your module's global variables and may allow
+ intruders to execute arbitrary code on your machine. Only
+ use this option on a secure, closed network.
+
 """
 
 self.instance = instance
+ self.allow_dotted_names = allow_dotted_names
 
 def register_function(self, function, name = None):
 """Registers a function to respond to XML-RPC requests.
@@ -295,7 +317,8 @@
 try:
 method = resolve_dotted_attribute(
 self.instance,
- method_name
+ method_name,
+ self.allow_dotted_names
 )
 except AttributeError:
 pass
@@ -374,7 +397,8 @@
 try:
 func = resolve_dotted_attribute(
 self.instance,
- method
+ method,
+ self.allow_dotted_names
 )
 except AttributeError:
 pass

---

• Previous message: [Python-checkins] python/dist/src/Doc/lib libsimplexmlrpc.tex, 1.5.14.1, 1.5.14.2
• Next message: [Python-checkins] python/dist/src/Misc NEWS, 1.831.4.166, 1.831.4.167
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-checkins mailing list