Safe Local XMLRPC

Michael Urman murman at gmail.com
Sat Mar 12 05:41:32 CET 2005


Hi. I'm a user of python for about 3 years now. I've written a
client-server application that uses SimpleXMLRPCServer and
xmlrpclib.ServerProxy to communicate. It's intended to be used by a
single-person as a backend and GUI frontend. I've got it running
great. Much stabler than my custom RPC I'd tried before.

I've used the default support available by these classes. Thus it will
run on a potentially public TCP/IP port. As the application backend
allows, among other things, saving files to the local filesystem, this
would be a clear security hole in the wild. Restricting it to
localhost would be a start, but not sufficient for multi-user systems.

It looks like it should be easy to modify both classes (or create
similar composite classes) that used unix-domain stream sockets. I
tried at one point and I think I got the server side, but without a
working client side it was impossible to tell. Is there a better way
to do this, or might someone point to references or sample code for
creating a unix-domain SimpleXMLRPCServer and xmlrpclib.ServerProxy?

Thanks!
-m



More information about the Python-list mailing list