is there a safe marshaler?
Fredrik Lundh
fredrik at pythonware.com
Mon Feb 14 19:09:52 EST 2005
Irmen de Jong wrote:
>> I haven't looked at that bug carefully yet but yes, anything exposed
>> to the internet has to be done very carefully, and XML-RPC missed
>> something.
>
> What I know of it is that you had the possibility to arbitrarily follow
> attribute paths, including attributes that should rather be kept hidden.
the bug had nothing to do with the XML-RPC protocol itself; it was a
weakness in the SimpleXMLRPCServer framework which used reflection
to automatically publish instance methods (if you use getattr repeatedly on
an instance, you can access a lot more than just attributes and methods...)
how do you publish "RPC endpoints" in Pyro?
</F>
More information about the Python-list
mailing list