Attachment #50626 for bug #77078

View | Details | Raw Unified | Return to bug 77078
Collapse All | Expand All

Lines 7-12 Link Here

(-)python/Makefile (+1 lines)
7		7
8	PORTNAME= python	8	PORTNAME= python
9	PORTVERSION= 2.4	9	PORTVERSION= 2.4
		10	PORTREVISION= 1
10	CATEGORIES= lang python ipv6	11	CATEGORIES= lang python ipv6
11	MASTER_SITES= ${PYTHON_MASTER_SITES}	12	MASTER_SITES= ${PYTHON_MASTER_SITES}
12	MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR}	13	MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR}




--- Lib/SimpleXMLRPCServer.py.orig	Sun Oct  3 20:21:44 2004
+++ Lib/SimpleXMLRPCServer.py	Thu Feb  3 19:59:20 2005
@@ -106,14 +106,22 @@
 import sys
 import os
 
-def resolve_dotted_attribute(obj, attr):
+def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
     """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
 
     Resolves a dotted attribute name to an object.  Raises
     an AttributeError if any attribute in the chain starts with a '_'.
+
+    If the optional allow_dotted_names argument is false, dots are not
+    supported and this function operates similar to getattr(obj, attr).
     """
 
-    for i in attr.split('.'):
+    if allow_dotted_names:
+        attrs = attr.split('.')
+    else:
+        attrs = [attr]
+
+    for i in attrs:
         if i.startswith('_'):
             raise AttributeError(
                 'attempt to access private attribute "%s"' % i
@@ -155,7 +163,7 @@
         self.funcs = {}
         self.instance = None
 
-    def register_instance(self, instance):
+    def register_instance(self, instance, allow_dotted_names=False):
         """Registers an instance to respond to XML-RPC requests.
 
         Only one instance can be installed at a time.
@@ -173,9 +181,23 @@
 
         If a registered function matches a XML-RPC request, then it
         will be called instead of the registered instance.
+
+        If the optional allow_dotted_names argument is true and the
+        instance does not have a _dispatch method, method names
+        containing dots are supported and resolved, as long as none of
+        the name segments start with an '_'.
+
+            *** SECURITY WARNING: ***
+
+            Enabling the allow_dotted_names options allows intruders
+            to access your module's global variables and may allow
+            intruders to execute arbitrary code on your machine.  Only
+            use this option on a secure, closed network.
+
         """
 
         self.instance = instance
+        self.allow_dotted_names = allow_dotted_names
 
     def register_function(self, function, name = None):
         """Registers a function to respond to XML-RPC requests.
@@ -294,7 +316,8 @@
                 try:
                     method = resolve_dotted_attribute(
                                 self.instance,
-                                method_name
+                                method_name,
+                                self.allow_dotted_names
                                 )
                 except AttributeError:
                     pass
@@ -373,7 +396,8 @@
                     try:
                         func = resolve_dotted_attribute(
                             self.instance,
-                            method
+                            method,
+                            self.allow_dotted_names
                             )
                     except AttributeError:
                         pass

Return to bug 77078

Line 0 Link Here

(-)python/files/patch-Lib::SimpleXMLRPCServer.py (+80 lines)
		1	--- Lib/SimpleXMLRPCServer.py.orig Sun Oct 3 20:21:44 2004
		2	+++ Lib/SimpleXMLRPCServer.py Thu Feb 3 19:59:20 2005
		3	@@ -106,14 +106,22 @@
		4	import sys
		5	import os
		6
		7	-def resolve_dotted_attribute(obj, attr):
		8	+def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
		9	"""resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
		10
		11	Resolves a dotted attribute name to an object. Raises
		12	an AttributeError if any attribute in the chain starts with a '_'.
		13	+
		14	+ If the optional allow_dotted_names argument is false, dots are not
		15	+ supported and this function operates similar to getattr(obj, attr).
		16	"""
		17
		18	- for i in attr.split('.'):
		19	+ if allow_dotted_names:
		20	+ attrs = attr.split('.')
		21	+ else:
		22	+ attrs = [attr]
		23	+
		24	+ for i in attrs:
		25	if i.startswith('_'):
		26	raise AttributeError(
		27	'attempt to access private attribute "%s"' % i
		28	@@ -155,7 +163,7 @@
		29	self.funcs = {}
		30	self.instance = None
		31
		32	- def register_instance(self, instance):
		33	+ def register_instance(self, instance, allow_dotted_names=False):
		34	"""Registers an instance to respond to XML-RPC requests.
		35
		36	Only one instance can be installed at a time.
		37	@@ -173,9 +181,23 @@
		38
		39	If a registered function matches a XML-RPC request, then it
		40	will be called instead of the registered instance.
		41	+
		42	+ If the optional allow_dotted_names argument is true and the
		43	+ instance does not have a _dispatch method, method names
		44	+ containing dots are supported and resolved, as long as none of
		45	+ the name segments start with an '_'.
		46	+
		47	+ * SECURITY WARNING: *
		48	+
		49	+ Enabling the allow_dotted_names options allows intruders
		50	+ to access your module's global variables and may allow
		51	+ intruders to execute arbitrary code on your machine. Only
		52	+ use this option on a secure, closed network.
		53	+
		54	"""
		55
		56	self.instance = instance
		57	+ self.allow_dotted_names = allow_dotted_names
		58
		59	def register_function(self, function, name = None):
		60	"""Registers a function to respond to XML-RPC requests.
		61	@@ -294,7 +316,8 @@
		62	try:
		63	method = resolve_dotted_attribute(
		64	self.instance,
65	- method_name
66	+ method_name,
67	+ self.allow_dotted_names
68	)
69	except AttributeError:
70	pass
71	@@ -373,7 +396,8 @@
72	try:
73	func = resolve_dotted_attribute(
74	self.instance,
75	- method
76	+ method,
77	+ self.allow_dotted_names
78	)
79	except AttributeError:
80	pass