[Python-checkins] python/dist/src/Doc/lib libsimplexmlrpc.tex, 1.8, 1.9

gvanrossum at users.sourceforge.net gvanrossum at users.sourceforge.net
Thu Feb 3 16:01:27 CET 2005 

Update of /cvsroot/python/python/dist/src/Doc/lib
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv15460/Doc/lib

Modified Files:
	libsimplexmlrpc.tex 
Log Message:
Security fix PSF-2005-001 for SimpleXMLRPCServer.py.

Index: libsimplexmlrpc.tex
===================================================================
RCS file: /cvsroot/python/python/dist/src/Doc/lib/libsimplexmlrpc.tex,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -d -r1.8 -r1.9
--- libsimplexmlrpc.tex	1 Dec 2004 18:34:11 -0000	1.8
+++ libsimplexmlrpc.tex	3 Feb 2005 15:01:23 -0000	1.9
@@ -55,7 +55,8 @@
   period character.
 \end{methoddesc}
 
-\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance}
+\begin{methoddesc}[SimpleXMLRPCServer]{register_instance}{instance\optional{,
+                                       allow_dotted_names}}
   Register an object which is used to expose method names which have
   not been registered using \method{register_function()}.  If
   \var{instance} contains a \method{_dispatch()} method, it is called
@@ -67,12 +68,26 @@
   The return value from \method{_dispatch()} is returned to the client as
   the result.  If
   \var{instance} does not have a \method{_dispatch()} method, it is
-  searched for an attribute matching the name of the requested method;
+  searched for an attribute matching the name of the requested method.
+
+  If the optional \var{allow_dotted_names} argument is true and the
+  instance does not have a \method{_dispatch()} method, then
   if the requested method name contains periods, each component of the
   method name is searched for individually, with the effect that a
   simple hierarchical search is performed.  The value found from this
   search is then called with the parameters from the request, and the
   return value is passed back to the client.
+
+  \begin{notice}[warning]
+  Enabling the \var{allow_dotted_names} option allows intruders to access
+  your module's global variables and may allow intruders to execute
+  arbitrary code on your machine.  Only use this option on a secure,
+  closed network.
+  \end{notice}
+
+  \versionchanged[\var{allow_dotted_names} was added to plug a security hole;
+  prior versions are insecure]{2.3.5, 2.4.1}
+
 \end{methoddesc}
 
 \begin{methoddesc}{register_introspection_functions}{}

More information about the Python-checkins mailing list