[Python-checkins] python/dist/src/Doc/lib libsimplexmlrpc.tex,
1.5.14.1, 1.5.14.2
gvanrossum at users.sourceforge.net
gvanrossum at users.sourceforge.net
Thu Feb 3 15:59:46 CET 2005
Update of /cvsroot/python/python/dist/src/Doc/lib
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv14953/Doc/lib
Modified Files:
Tag: release23-maint
libsimplexmlrpc.tex
Log Message:
Security fix PSF-2005-001 for SimpleXMLRPCServer.py.
Index: libsimplexmlrpc.tex
===================================================================
RCS file: /cvsroot/python/python/dist/src/Doc/lib/libsimplexmlrpc.tex,v
retrieving revision 1.5.14.1
retrieving revision 1.5.14.2
diff -u -d -r1.5.14.1 -r1.5.14.2
--- libsimplexmlrpc.tex 8 Oct 2004 18:35:46 -0000 1.5.14.1
+++ libsimplexmlrpc.tex 3 Feb 2005 14:59:43 -0000 1.5.14.2
@@ -55,19 +55,34 @@
period character.
\end{methoddesc}
-\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance}
+\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance\optional{,
+ allow_dotted_names}}
Register an object which is used to expose method names which have
not been registered using \method{register_function()}. If
\var{instance} contains a \method{_dispatch()} method, it is called
with the requested method name and the parameters from the request;
the return value is returned to the client as the result. If
\var{instance} does not have a \method{_dispatch()} method, it is
- searched for an attribute matching the name of the requested method;
+ searched for an attribute matching the name of the requested method.
+
+ If the optional \var{allow_dotted_names} argument is true and the
+ instance does not have a \method{_dispatch()} method, then
if the requested method name contains periods, each component of the
method name is searched for individually, with the effect that a
simple hierarchical search is performed. The value found from this
search is then called with the parameters from the request, and the
return value is passed back to the client.
+
+ \begin{notice}[warning]
+ Enabling the \var{allow_dotted_names} option allows intruders to access
+ your module's global variables and may allow intruders to execute
+ arbitrary code on your machine. Only use this option on a secure,
+ closed network.
+ \end{notice}
+
+ \versionchanged[\var{allow_dotted_names} was added to plug a security hole;
+ prior versions are insecure]{2.3.5, 2.4.1}
+
\end{methoddesc}
\begin{methoddesc}{register_introspection_functions}{}
More information about the Python-checkins
mailing list