Update of /cvsroot/python/python/dist/src/Doc/lib In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv14953/Doc/lib Modified Files: Tag: release23-maint libsimplexmlrpc.tex Log Message: Security fix PSF-2005-001 for SimpleXMLRPCServer.py. Index: libsimplexmlrpc.tex =================================================================== RCS file: /cvsroot/python/python/dist/src/Doc/lib/libsimplexmlrpc.tex,v retrieving revision 1.5.14.1 retrieving revision 1.5.14.2 diff -u -d -r1.5.14.1 -r1.5.14.2 --- libsimplexmlrpc.tex 8 Oct 2004 18:35:46 -0000 1.5.14.1 +++ libsimplexmlrpc.tex 3 Feb 2005 14:59:43 -0000 1.5.14.2 @@ -55,19 +55,34 @@ period character. \end{methoddesc} -\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance} +\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance\optional{, + allow_dotted_names}} Register an object which is used to expose method names which have not been registered using \method{register_function()}. If \var{instance} contains a \method{_dispatch()} method, it is called with the requested method name and the parameters from the request; the return value is returned to the client as the result. If \var{instance} does not have a \method{_dispatch()} method, it is - searched for an attribute matching the name of the requested method; + searched for an attribute matching the name of the requested method. + + If the optional \var{allow_dotted_names} argument is true and the + instance does not have a \method{_dispatch()} method, then if the requested method name contains periods, each component of the method name is searched for individually, with the effect that a simple hierarchical search is performed. The value found from this search is then called with the parameters from the request, and the return value is passed back to the client. + + \begin{notice}[warning] + Enabling the \var{allow_dotted_names} option allows intruders to access + your module's global variables and may allow intruders to execute + arbitrary code on your machine. Only use this option on a secure, + closed network. + \end{notice} + + \versionchanged[\var{allow_dotted_names} was added to plug a security hole; + prior versions are insecure]{2.3.5, 2.4.1} + \end{methoddesc} \begin{methoddesc}{register_introspection_functions}{}