Bugs item #1473048, was opened at 2006-04-19 11:45 Message generated for change (Comment added) made by akuchling You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1473048&group_id=5470
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Python Library Group: None >Status: Closed >Resolution: Accepted Priority: 5 Submitted By: A.M. Kuchling (akuchling) >Assigned to: A.M. Kuchling (akuchling) Summary: SimpleXMLRPCServer responds to any path Initial Comment: SimpleXMLRPCServer and DocXMLRPCServer don't look at the path of the HTTP request at all; you can POST or GET from / or /RPC2 or /blahblahblah with the same results. One minor problem with this liberality is that a security scanner that looks for vulnerable scripts such as /cgi-bin/phf will report the server as vulnerable. Nessus, for example, reports dozens of security holes on a SimpleXMLRPCServer for this reason. Fix: add a check that only allows '/' or '/RPC2' (maybe just /RPC2?). ---------------------------------------------------------------------- >Comment By: A.M. Kuchling (akuchling) Date: 2006-05-31 10:13 Message: Logged In: YES user_id=11375 I've applied this patch in rev. 46578. ---------------------------------------------------------------------- Comment By: A.M. Kuchling (akuchling) Date: 2006-04-26 08:42 Message: Logged In: YES user_id=11375 The attached patch adds a .rpc_paths attribute that's a tuple of legal paths, and a .is_rpc_path_valid() method that returns True if a path is OK. A .report_404() method generates a 404 error message, and SimpleXMLRPCServer and DocXMLRPCServer are modified to check for legal paths. (Perhaps it should be ._report_404?) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1473048&group_id=5470 _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
