[Python-checkins] python/dist/src/Doc/lib libsimplexmlrpc.tex, 1.7,

gvanrossum at users.sourceforge.net gvanrossum at users.sourceforge.net
Thu Feb 3 16:00:51 CET 2005

Update of /cvsroot/python/python/dist/src/Doc/lib
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv15199/Doc/lib

Modified Files:
      Tag: release24-maint
Log Message:
Security fix PSF-2005-001 for SimpleXMLRPCServer.py.

Index: libsimplexmlrpc.tex
RCS file: /cvsroot/python/python/dist/src/Doc/lib/libsimplexmlrpc.tex,v
retrieving revision 1.7
retrieving revision
diff -u -d -r1.7 -r1.7.2.1
--- libsimplexmlrpc.tex	8 Oct 2004 18:34:47 -0000	1.7
+++ libsimplexmlrpc.tex	3 Feb 2005 15:00:17 -0000
@@ -55,7 +55,8 @@
   period character.
+                                       allow_dotted_names}}
   Register an object which is used to expose method names which have
   not been registered using \method{register_function()}.  If
   \var{instance} contains a \method{_dispatch()} method, it is called
@@ -67,12 +68,26 @@
   The return value from \method{_dispatch()} is returned to the client as
   the result.  If
   \var{instance} does not have a \method{_dispatch()} method, it is
-  searched for an attribute matching the name of the requested method;
+  searched for an attribute matching the name of the requested method.
+  If the optional \var{allow_dotted_names} argument is true and the
+  instance does not have a \method{_dispatch()} method, then
   if the requested method name contains periods, each component of the
   method name is searched for individually, with the effect that a
   simple hierarchical search is performed.  The value found from this
   search is then called with the parameters from the request, and the
   return value is passed back to the client.
+  \begin{notice}[warning]
+  Enabling the \var{allow_dotted_names} option allows intruders to access
+  your module's global variables and may allow intruders to execute
+  arbitrary code on your machine.  Only use this option on a secure,
+  closed network.
+  \end{notice}
+  \versionchanged[\var{allow_dotted_names} was added to plug a security hole;
+  prior versions are insecure]{2.3.5, 2.4.1}

More information about the Python-checkins mailing list