[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Change by Larry Hastings : -- resolution: -> fixed status: open -> closed ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Larry Hastings added the comment: New changeset 3fe1b19265b55c290fc956e9aafcf661803782de by larryhastings (Victor Stinner) in branch '3.5': bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441) (#16516) https://github.com/python/cpython/commit/3fe1b19265b55c290fc956e9aafcf66

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Dong-hee Na added the comment: > I prefer to keep it open until the 3.5 backport is merged. Sorry, I didn't find it. Yes, we should let it open until the PR is merged. -- ___ Python tracker _

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

STINNER Victor added the comment: I prefer to keep it open until the 3.5 backport is merged. -- resolution: fixed -> status: closed -> open ___ Python tracker ___ ___

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Change by Dong-hee Na : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___ ___ P

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Change by STINNER Victor : -- pull_requests: +16106 pull_request: https://github.com/python/cpython/pull/16516 ___ Python tracker ___ __

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

STINNER Victor added the comment: New changeset 8eb64155ff26823542ccf0225b3d57b6ae36ea89 by Victor Stinner (Dong-hee Na) in branch '2.7': [2.7] bpo-38243: Escape the server title of DocXMLRPCServer (GH-16447) https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Ned Deily added the comment: New changeset 1698cacfb924d1df452e78d11a4bf81ae389 by Ned Deily (Victor Stinner) in branch '3.6': bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441) https://github.com/python/cpython/commit/1698cacfb924d1df452e78d11a4bf81ae389 --

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Change by Dong-hee Na : -- pull_requests: +16026 pull_request: https://github.com/python/cpython/pull/16447 ___ Python tracker ___ _

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Dong-hee Na added the comment: Sure! -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

STINNER Victor added the comment: @Dong-hee Na: Would you mind to try to backport the change to Python 2.7 which also has the bug? -- ___ Python tracker ___ _

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

miss-islington added the comment: New changeset 6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28 by Miss Islington (bot) in branch '3.8': bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) https://github.com/python/cpython/commit/6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28 -- __

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

miss-islington added the comment: New changeset 39a0c730e31c6941a78da19b6a5b61170687 by Miss Islington (bot) in branch '3.7': bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) https://github.com/python/cpython/commit/39a0c730e31c6941a78da19b6a5b61170687 -- nosy: +

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Change by STINNER Victor : -- pull_requests: +16020 pull_request: https://github.com/python/cpython/pull/16441 ___ Python tracker ___ __

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Change by miss-islington : -- pull_requests: +16019 pull_request: https://github.com/python/cpython/pull/16440 ___ Python tracker ___ __

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Change by miss-islington : -- pull_requests: +16018 pull_request: https://github.com/python/cpython/pull/16439 ___ Python tracker ___ __

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

STINNER Victor added the comment: New changeset e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa by Victor Stinner (Dong-hee Na) in branch 'master': bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) https://github.com/python/cpython/commit/e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa ---

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Dong-hee Na added the comment: @vstinner Thank you for the feedback. I've updated the PR with the unit test you suggested :-) -- ___ Python tracker ___ __

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

STINNER Victor added the comment: > I've proposed the patch on GitHub which escaping the server_title when the > documenter.page is called. (It different point with msg353132. The attached poc.py seems to show that server name and server documentation are not escaped neither. server.set_ser

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

STINNER Victor added the comment: > Thanks for the report. There is a policy to report security vulnerabilities > in CPython : https://www.python.org/news/security/. The private security mailing list has been contacted first and we advice to open a public issue since we consider that it's no

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Dong-hee Na added the comment: I've proposed the patch on GitHub which escaping the server_title when the documenter.page is called. (It different point with msg353132. -- ___ Python tracker ___

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Change by Dong-hee Na : -- keywords: +patch pull_requests: +15953 stage: -> patch review pull_request: https://github.com/python/cpython/pull/16373 ___ Python tracker ___

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Dong-hee Na added the comment: Looks like this issue can be solved by below code changed. @@ -833,7 +834,7 @@ class XMLRPCDocGenerator: def set_server_title(self, server_title): """Set the HTML title of the generated server documentation""" -self.server_title = server_ti

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Change by Dong-hee Na : -- nosy: +corona10 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.pytho

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Change by STINNER Victor : -- nosy: +mdk, vstinner ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://ma

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Change by Ned Deily : -- keywords: +security_issue priority: normal -> high versions: +Python 2.7, Python 3.5, Python 3.6, Python 3.8, Python 3.9 ___ Python tracker ___ ___

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

Karthikeyan Singaravelan added the comment: Thanks for the report. There is a policy to report security vulnerabilities in CPython : https://www.python.org/news/security/. -- nosy: +xtreak ___ Python tracker __

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

New submission from longwenzhang : It's "Lib/DocXMLRPCServer.py" in python2x or "Lib/xmlrpc/server.py" in python3x. Steps to reproduce: 1.Lib/DocXMLRPCServer.py is “a documenting XML-RPC Server“,In the Class ServerHTMLDoc, method markup(), will escape the Special symbols to safe(such as <," e