period character.
\end{methoddesc}
-\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance}
+\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance\optional{,
+ allow_dotted_names}}
Register an object which is used to expose method names which have
not been registered using \method{register_function()}. If
\var{instance} contains a \method{_dispatch()} method, it is called
with the requested method name and the parameters from the request;
the return value is returned to the client as the result. If
\var{instance} does not have a \method{_dispatch()} method, it is
- searched for an attribute matching the name of the requested method;
+ searched for an attribute matching the name of the requested method.
+
+ If the optional \var{allow_dotted_names} argument is true and the
+ instance does not have a \method{_dispatch()} method, then
if the requested method name contains periods, each component of the
method name is searched for individually, with the effect that a
simple hierarchical search is performed. The value found from this
search is then called with the parameters from the request, and the
return value is passed back to the client.
+
+ \begin{notice}[warning]
+ Enabling the \var{allow_dotted_names} option allows intruders to access
+ your module's global variables and may allow intruders to execute
+ arbitrary code on your machine. Only use this option on a secure,
+ closed network.
+ \end{notice}
+
+ \versionchanged[\var{allow_dotted_names} was added to plug a security hole;
+ prior versions are insecure]{2.3.5, 2.4.1}
+
\end{methoddesc}
\begin{methoddesc}{register_introspection_functions}{}
import types
import os
-def resolve_dotted_attribute(obj, attr):
+def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
"""resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
Resolves a dotted attribute name to an object. Raises
an AttributeError if any attribute in the chain starts with a '_'.
+
+ If the optional allow_dotted_names argument is false, dots are not
+ supported and this function operates similar to getattr(obj, attr).
"""
- for i in attr.split('.'):
+ if allow_dotted_names:
+ attrs = attr.split('.')
+ else:
+ attrs = [attr]
+
+ for i in attrs:
if i.startswith('_'):
raise AttributeError(
'attempt to access private attribute "%s"' % i
self.funcs = {}
self.instance = None
- def register_instance(self, instance):
+ def register_instance(self, instance, allow_dotted_names=False):
"""Registers an instance to respond to XML-RPC requests.
Only one instance can be installed at a time.
If a registered function matches a XML-RPC request, then it
will be called instead of the registered instance.
+
+ If the optional allow_dotted_names argument is true and the
+ instance does not have a _dispatch method, method names
+ containing dots are supported and resolved, as long as none of
+ the name segments start with an '_'.
+
+ *** SECURITY WARNING: ***
+
+ Enabling the allow_dotted_names options allows intruders
+ to access your module's global variables and may allow
+ intruders to execute arbitrary code on your machine. Only
+ use this option on a secure, closed network.
+
"""
self.instance = instance
+ self.allow_dotted_names = allow_dotted_names
def register_function(self, function, name = None):
"""Registers a function to respond to XML-RPC requests.
try:
method = resolve_dotted_attribute(
self.instance,
- method_name
+ method_name,
+ self.allow_dotted_names
)
except AttributeError:
pass
try:
func = resolve_dotted_attribute(
self.instance,
- method
+ method,
+ self.allow_dotted_names
)
except AttributeError:
pass
Core and builtins
-----------------
+
- Partially revert the fix for #1074011; don't try to fflush stdin anymore.
+Library
+-------
+
+- Applied a security fix to SimpleXMLRPCserver (PSF-2005-001). This
+ disables recursive traversal through instance attributes, which can
+ be exploited in various ways.
+
+
What's New in Python 2.3.5rc1?
==============================
projects / thirdparty / Python / cpython.git / commitdiff
