[Bug #1473048]
SimpleXMLRPCServer and DocXMLRPCServer don't look at
the path of the HTTP request at all; you can POST or
GET from / or /RPC2 or /blahblahblah with the same results.
Security scanners that look for /cgi-bin/phf will therefore report
lots of vulnerabilities.
Fix: add a .rpc_paths attribute to the SimpleXMLRPCServer class,
and report a 404 error if the path isn't on the allowed list.
Possibly-controversial aspect of this change: the default makes only
'/' and '/RPC2' legal. Maybe this will break people's applications
(though I doubt it). We could just set the default to an empty tuple,
which would exactly match the current behaviour.
diff --git a/Doc/lib/libsimplexmlrpc.tex b/Doc/lib/libsimplexmlrpc.tex
index a25cabf..7a97861 100644
--- a/Doc/lib/libsimplexmlrpc.tex
+++ b/Doc/lib/libsimplexmlrpc.tex
@@ -111,6 +111,15 @@
Registers the XML-RPC multicall function system.multicall.
\end{methoddesc}
+\begin{memberdesc}[SimpleXMLRPCServer]{rpc_paths}
+An attribute value that must be a tuple listing valid path portions of
+the URL for receiving XML-RPC requests. Requests posted to other
+paths will result in a 404 ``no such page'' HTTP error. If this
+tuple is empty, all paths will be considered valid.
+The default value is \code{('/', '/RPC2')}.
+ \versionadded{2.5}
+\end{memberdesc}
+
Example:
\begin{verbatim}