[Python-checkins] python/dist/src/Doc/lib libsimplexmlrpc.tex, 1.5.14.1, 1.5.14.2

gvanrossum at users.sourceforge.net gvanrossum at users.sourceforge.net
Thu Feb 3 15:59:46 CET 2005 

Update of /cvsroot/python/python/dist/src/Doc/lib
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv14953/Doc/lib

Modified Files:
      Tag: release23-maint
	libsimplexmlrpc.tex 
Log Message:
Security fix PSF-2005-001 for SimpleXMLRPCServer.py.

Index: libsimplexmlrpc.tex
===================================================================
RCS file: /cvsroot/python/python/dist/src/Doc/lib/libsimplexmlrpc.tex,v
retrieving revision 1.5.14.1
retrieving revision 1.5.14.2
diff -u -d -r1.5.14.1 -r1.5.14.2
--- libsimplexmlrpc.tex	8 Oct 2004 18:35:46 -0000	1.5.14.1
+++ libsimplexmlrpc.tex	3 Feb 2005 14:59:43 -0000	1.5.14.2
@@ -55,19 +55,34 @@
   period character.
 \end{methoddesc}
 
-\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance}
+\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance\optional{,
+                                       allow_dotted_names}}
   Register an object which is used to expose method names which have
   not been registered using \method{register_function()}.  If
   \var{instance} contains a \method{_dispatch()} method, it is called
   with the requested method name and the parameters from the request;
   the return value is returned to the client as the result.  If
   \var{instance} does not have a \method{_dispatch()} method, it is
-  searched for an attribute matching the name of the requested method;
+  searched for an attribute matching the name of the requested method.
+
+  If the optional \var{allow_dotted_names} argument is true and the
+  instance does not have a \method{_dispatch()} method, then
   if the requested method name contains periods, each component of the
   method name is searched for individually, with the effect that a
   simple hierarchical search is performed.  The value found from this
   search is then called with the parameters from the request, and the
   return value is passed back to the client.
+
+  \begin{notice}[warning]
+  Enabling the \var{allow_dotted_names} option allows intruders to access
+  your module's global variables and may allow intruders to execute
+  arbitrary code on your machine.  Only use this option on a secure,
+  closed network.
+  \end{notice}
+
+  \versionchanged[\var{allow_dotted_names} was added to plug a security hole;
+  prior versions are insecure]{2.3.5, 2.4.1}
+
 \end{methoddesc}
 
 \begin{methoddesc}{register_introspection_functions}{}

More information about the Python-checkins mailing list