Security fix PSF-2005-001 for SimpleXMLRPCServer.py.

This commit is contained in:
Guido van Rossum 2005-02-03 15:01:24 +00:00
parent 0676dfdce0
commit d064142579
3 changed files with 50 additions and 7 deletions

View file

@ -106,14 +106,22 @@ import BaseHTTPServer
import sys
import os
def resolve_dotted_attribute(obj, attr):
def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
"""resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
Resolves a dotted attribute name to an object. Raises
an AttributeError if any attribute in the chain starts with a '_'.
If the optional allow_dotted_names argument is false, dots are not
supported and this function operates similar to getattr(obj, attr).
"""
for i in attr.split('.'):
if allow_dotted_names:
attrs = attr.split('.')
else:
attrs = [attr]
for i in attrs:
if i.startswith('_'):
raise AttributeError(
'attempt to access private attribute "%s"' % i
@ -155,7 +163,7 @@ class SimpleXMLRPCDispatcher:
self.funcs = {}
self.instance = None
def register_instance(self, instance):
def register_instance(self, instance, allow_dotted_names=False):
"""Registers an instance to respond to XML-RPC requests.
Only one instance can be installed at a time.
@ -173,9 +181,23 @@ class SimpleXMLRPCDispatcher:
If a registered function matches a XML-RPC request, then it
will be called instead of the registered instance.
If the optional allow_dotted_names argument is true and the
instance does not have a _dispatch method, method names
containing dots are supported and resolved, as long as none of
the name segments start with an '_'.
*** SECURITY WARNING: ***
Enabling the allow_dotted_names options allows intruders
to access your module's global variables and may allow
intruders to execute arbitrary code on your machine. Only
use this option on a secure, closed network.
"""
self.instance = instance
self.allow_dotted_names = allow_dotted_names
def register_function(self, function, name = None):
"""Registers a function to respond to XML-RPC requests.
@ -294,7 +316,8 @@ class SimpleXMLRPCDispatcher:
try:
method = resolve_dotted_attribute(
self.instance,
method_name
method_name,
self.allow_dotted_names
)
except AttributeError:
pass
@ -373,7 +396,8 @@ class SimpleXMLRPCDispatcher:
try:
func = resolve_dotted_attribute(
self.instance,
method
method,
self.allow_dotted_names
)
except AttributeError:
pass