➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2006-04-19 15:45 by akuchling, last changed 2022-04-11 14:56 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| xmlrpc.patch | akuchling, 2006-04-26 12:42 | Patch to check path information | ||
| Messages (3) | |||
|---|---|---|---|
| msg28312 - (view) | Author: A.M. Kuchling (akuchling) *  |
Date: 2006-04-19 15:45 | |
SimpleXMLRPCServer and DocXMLRPCServer don't look at the path of the HTTP request at all; you can POST or GET from / or /RPC2 or /blahblahblah with the same results. One minor problem with this liberality is that a security scanner that looks for vulnerable scripts such as /cgi-bin/phf will report the server as vulnerable. Nessus, for example, reports dozens of security holes on a SimpleXMLRPCServer for this reason. Fix: add a check that only allows '/' or '/RPC2' (maybe just /RPC2?). |
|||
| msg28313 - (view) | Author: A.M. Kuchling (akuchling) * |
Date: 2006-04-26 12:42 | |
Logged In: YES user_id=11375 The attached patch adds a .rpc_paths attribute that's a tuple of legal paths, and a .is_rpc_path_valid() method that returns True if a path is OK. A .report_404() method generates a 404 error message, and SimpleXMLRPCServer and DocXMLRPCServer are modified to check for legal paths. (Perhaps it should be ._report_404?) |
|||
| msg28314 - (view) | Author: A.M. Kuchling (akuchling) * |
Date: 2006-05-31 14:13 | |
Logged In: YES user_id=11375 I've applied this patch in rev. 46578. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:56:16 | admin | set | github: 43252 |
| 2006-04-19 15:45:22 | akuchling | create | |