is there a safe marshaler?
Irmen de Jong
irmen.NOSPAM at xs4all.nl
Mon Feb 14 19:36:35 EST 2005
Fredrik Lundh wrote:
> the bug had nothing to do with the XML-RPC protocol itself;
True, sorry for the confusion. I should have written it more precisely.
> it was a
> weakness in the SimpleXMLRPCServer framework which used reflection
> to automatically publish instance methods (if you use getattr repeatedly on
> an instance, you can access a lot more than just attributes and methods...)
>
> how do you publish "RPC endpoints" in Pyro?
By reflection :-) return getattr(self,method) (*args,**keywords)
But Pyro currently treats attribute lookups differently.
It either ignores them completely (you have to enable remote-attribute
access explicitly) or returns attributes as 'local' objects.
What I mean is that you can access a remote attribute of a Pyro object,
but only one level deep. There is no repeated (nested) remote attribute
lookup. It's quite difficult to explain, if you want more details please
read the relevant section in the Pyro manual:
http://pyro.sourceforge.net/manual/7-features.html#nestedattrs
As far as I can see, Pyro is safe from the XMLRPCServer weakness.
Interestingly, I have been thinking for a long time to add nested
remote attribute lookup to Pyro. I know know that this is perhaps
not a really good idea :)
--Irmen
More information about the Python-list
mailing list