Security fix PSF-2005-001 for SimpleXMLRPCServer.py.
diff --git a/Doc/lib/libsimplexmlrpc.tex b/Doc/lib/libsimplexmlrpc.tex
index 0170c1a..9297a4e 100644
--- a/Doc/lib/libsimplexmlrpc.tex
+++ b/Doc/lib/libsimplexmlrpc.tex
@@ -55,7 +55,8 @@
period character.
\end{methoddesc}
-\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance}
+\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance\optional{,
+ allow_dotted_names}}
Register an object which is used to expose method names which have
not been registered using \method{register_function()}. If
\var{instance} contains a \method{_dispatch()} method, it is called
@@ -67,12 +68,26 @@
The return value from \method{_dispatch()} is returned to the client as
the result. If
\var{instance} does not have a \method{_dispatch()} method, it is
- searched for an attribute matching the name of the requested method;
+ searched for an attribute matching the name of the requested method.
+
+ If the optional \var{allow_dotted_names} argument is true and the
+ instance does not have a \method{_dispatch()} method, then
if the requested method name contains periods, each component of the
method name is searched for individually, with the effect that a
simple hierarchical search is performed. The value found from this
search is then called with the parameters from the request, and the
return value is passed back to the client.
+
+ \begin{notice}[warning]
+ Enabling the \var{allow_dotted_names} option allows intruders to access
+ your module's global variables and may allow intruders to execute
+ arbitrary code on your machine. Only use this option on a secure,
+ closed network.
+ \end{notice}
+
+ \versionchanged[\var{allow_dotted_names} was added to plug a security hole;
+ prior versions are insecure]{2.3.5, 2.4.1}
+
\end{methoddesc}
\begin{methoddesc}{register_introspection_functions}{}
diff --git a/Lib/SimpleXMLRPCServer.py b/Lib/SimpleXMLRPCServer.py
index 68a20ef..315ce84 100644
--- a/Lib/SimpleXMLRPCServer.py
+++ b/Lib/SimpleXMLRPCServer.py
@@ -106,14 +106,22 @@
import sys
import os
-def resolve_dotted_attribute(obj, attr):
+def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
"""resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
Resolves a dotted attribute name to an object. Raises
an AttributeError if any attribute in the chain starts with a '_'.
+
+ If the optional allow_dotted_names argument is false, dots are not
+ supported and this function operates similar to getattr(obj, attr).
"""
- for i in attr.split('.'):
+ if allow_dotted_names:
+ attrs = attr.split('.')
+ else:
+ attrs = [attr]
+
+ for i in attrs:
if i.startswith('_'):
raise AttributeError(
'attempt to access private attribute "%s"' % i
@@ -155,7 +163,7 @@
self.funcs = {}
self.instance = None
- def register_instance(self, instance):
+ def register_instance(self, instance, allow_dotted_names=False):
"""Registers an instance to respond to XML-RPC requests.
Only one instance can be installed at a time.
@@ -173,9 +181,23 @@
If a registered function matches a XML-RPC request, then it
will be called instead of the registered instance.
+
+ If the optional allow_dotted_names argument is true and the
+ instance does not have a _dispatch method, method names
+ containing dots are supported and resolved, as long as none of
+ the name segments start with an '_'.
+
+ *** SECURITY WARNING: ***
+
+ Enabling the allow_dotted_names options allows intruders
+ to access your module's global variables and may allow
+ intruders to execute arbitrary code on your machine. Only
+ use this option on a secure, closed network.
+
"""
self.instance = instance
+ self.allow_dotted_names = allow_dotted_names
def register_function(self, function, name = None):
"""Registers a function to respond to XML-RPC requests.
@@ -294,7 +316,8 @@
try:
method = resolve_dotted_attribute(
self.instance,
- method_name
+ method_name,
+ self.allow_dotted_names
)
except AttributeError:
pass
@@ -373,7 +396,8 @@
try:
func = resolve_dotted_attribute(
self.instance,
- method
+ method,
+ self.allow_dotted_names
)
except AttributeError:
pass
diff --git a/Misc/NEWS b/Misc/NEWS
index 926ac52..42a5abc 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -47,6 +47,10 @@
Library
-------
+- Applied a security fix to SimpleXMLRPCserver (PSF-2005-001). This
+ disables recursive traversal through instance attributes, which can
+ be exploited in various ways.
+
- Bug #1110478: Revert os.environ.update to do putenv again.
- Bug #1103844: fix distutils.install.dump_dirs() with negated options.