mirror of
https://github.com/python/cpython.git
synced 2025-10-28 12:15:13 +00:00
[Bug #1473048]
SimpleXMLRPCServer and DocXMLRPCServer don't look at the path of the HTTP request at all; you can POST or GET from / or /RPC2 or /blahblahblah with the same results. Security scanners that look for /cgi-bin/phf will therefore report lots of vulnerabilities. Fix: add a .rpc_paths attribute to the SimpleXMLRPCServer class, and report a 404 error if the path isn't on the allowed list. Possibly-controversial aspect of this change: the default makes only '/' and '/RPC2' legal. Maybe this will break people's applications (though I doubt it). We could just set the default to an empty tuple, which would exactly match the current behaviour.
This commit is contained in:
Andrew M. Kuchling
parent
bc09e1086e
commit
622f144175
3 changed files with 41 additions and 0 deletions
|
|
@ -227,6 +227,10 @@ def do_GET(self):
|
|||
Interpret all HTTP GET requests as requests for server
|
||||
documentation.
|
||||
"""
|
||||
# Check that the path is legal
|
||||
if not self.is_rpc_path_valid():
|
||||
self.report_404()
|
||||
return
|
||||
|
||||
response = self.server.generate_html_documentation()
|
||||
self.send_response(200)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue