Irmen de Jong wrote: >> I haven't looked at that bug carefully yet but yes, anything exposed >> to the internet has to be done very carefully, and XML-RPC missed >> something. > > What I know of it is that you had the possibility to arbitrarily follow > attribute paths, including attributes that should rather be kept hidden.
the bug had nothing to do with the XML-RPC protocol itself; it was a weakness in the SimpleXMLRPCServer framework which used reflection to automatically publish instance methods (if you use getattr repeatedly on an instance, you can access a lot more than just attributes and methods...) how do you publish "RPC endpoints" in Pyro? </F> -- http://mail.python.org/mailman/listinfo/python-list