[Python-checkins] python/dist/src/Doc/lib libsimplexmlrpc.tex, 1.7, 1.7.2.1

gvanrossum at users.sourceforge.net gvanrossum at users.sourceforge.net
Thu Feb 3 16:00:51 CET 2005

• Previous message: [Python-checkins] python/dist/src/Misc NEWS, 1.1193年2月17日, 1.1193年2月18日
• Next message: [Python-checkins] python/dist/src/Lib SimpleXMLRPCServer.py, 1.9, 1.9.2.1
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Update of /cvsroot/python/python/dist/src/Doc/lib
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv15199/Doc/lib
Modified Files:
 Tag: release24-maint
	libsimplexmlrpc.tex 
Log Message:
Security fix PSF-2005-001 for SimpleXMLRPCServer.py.
Index: libsimplexmlrpc.tex
===================================================================
RCS file: /cvsroot/python/python/dist/src/Doc/lib/libsimplexmlrpc.tex,v
retrieving revision 1.7
retrieving revision 1.7.2.1
diff -u -d -r1.7 -r1.7.2.1
--- libsimplexmlrpc.tex	8 Oct 2004 18:34:47 -0000	1.7
+++ libsimplexmlrpc.tex	3 Feb 2005 15:00:17 -0000	1.7.2.1
@@ -55,7 +55,8 @@
 period character.
 \end{methoddesc}
 
-\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance}
+\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance\optional{,
+ allow_dotted_names}}
 Register an object which is used to expose method names which have
 not been registered using \method{register_function()}. If
 \var{instance} contains a \method{_dispatch()} method, it is called
@@ -67,12 +68,26 @@
 The return value from \method{_dispatch()} is returned to the client as
 the result. If
 \var{instance} does not have a \method{_dispatch()} method, it is
- searched for an attribute matching the name of the requested method;
+ searched for an attribute matching the name of the requested method.
+
+ If the optional \var{allow_dotted_names} argument is true and the
+ instance does not have a \method{_dispatch()} method, then
 if the requested method name contains periods, each component of the
 method name is searched for individually, with the effect that a
 simple hierarchical search is performed. The value found from this
 search is then called with the parameters from the request, and the
 return value is passed back to the client.
+
+ \begin{notice}[warning]
+ Enabling the \var{allow_dotted_names} option allows intruders to access
+ your module's global variables and may allow intruders to execute
+ arbitrary code on your machine. Only use this option on a secure,
+ closed network.
+ \end{notice}
+
+ \versionchanged[\var{allow_dotted_names} was added to plug a security hole;
+ prior versions are insecure]{2.3.5, 2.4.1}
+
 \end{methoddesc}
 
 \begin{methoddesc}{register_introspection_functions}{}

---

• Previous message: [Python-checkins] python/dist/src/Misc NEWS, 1.1193年2月17日, 1.1193年2月18日
• Next message: [Python-checkins] python/dist/src/Lib SimpleXMLRPCServer.py, 1.9, 1.9.2.1
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-checkins mailing list