[Python-ideas] Improving xmlrpc introspection
Claudiu Popa
pcmanticore at gmail.com
Thu Jun 19 08:35:26 CEST 2014
On Wed, Jun 18, 2014 at 6:52 PM, Skip Montanaro <skip at pobox.com> wrote:
> I might be a bit confused (nothing new there), but it seemed to me
> that Claudiu indicated all his MagicProxy magic happens in the client:
>
>> As we can see, the registered methods can be introspected and calling
>> one with the wrong number of arguments will not trigger a request to
>> the server, but will fail right in the user's code.
>
> I think we will have to see the code to decide if it's a security
> risk. Claudiu, I suggest you open an issue in the tracker so others
> can see how the magic works.
>
> Skip
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
That's right, the behaviour occurs in the client, the only catch is
that it needs
a new method in xmlrpc.server and the server must support introspection already,
by providing the `system` proxy methods.
I already posted a sample patch in the first message
(https://gist.github.com/PCManticore/cf82ab421d4dc5c7f6ff).
Now, something is wrong in the client, because it exec's the
information received in
order to create the local functions, but probably there are other methods
for achieving the same behaviour.
Anyway, thank you all for your responses. I admit that I didn't think at
the security implications of this proposal very much and it was
enlightening as is.
More information about the Python-ideas
mailing list