Attachment #50627 for bug #77079

View | Details | Raw Unified | Return to bug 77079
Collapse All | Expand All

Lines 7-13 Link Here

(-)python22/Makefile (-1 / +1 lines)
7		7
8	PORTNAME= python	8	PORTNAME= python
9	PORTVERSION= 2.2.3	9	PORTVERSION= 2.2.3
10	PORTREVISION= 6	10	PORTREVISION= 7
11	CATEGORIES= lang python ipv6	11	CATEGORIES= lang python ipv6
12	MASTER_SITES= ${PYTHON_MASTER_SITES}	12	MASTER_SITES= ${PYTHON_MASTER_SITES}
13	MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR}	13	MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR}




--- Lib/SimpleXMLRPCServer.py.orig	Sat Sep 29 01:54:33 2001
+++ Lib/SimpleXMLRPCServer.py	Thu Feb  3 20:07:10 2005
@@ -161,7 +161,8 @@
                     try:
                         func = _resolve_dotted_attribute(
                             self.server.instance,
-                            method
+                            method,
+                            self.allow_dotted_names
                             )
                     except AttributeError:
                         pass
@@ -178,11 +179,20 @@
             BaseHTTPServer.BaseHTTPRequestHandler.log_request(self, code, size)
 
 
-def _resolve_dotted_attribute(obj, attr):
+def _resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
     """Resolves a dotted attribute name to an object.  Raises
     an AttributeError if any attribute in the chain starts with a '_'.
+
+    If the optional allow_dotted_names argument is false, dots are not
+    supported and this function operates similar to getattr(obj, attr).
     """
-    for i in attr.split('.'):
+
+    if allow_dotted_names:
+        attrs = attr.split('.')
+    else:
+        attrs = [attr]
+
+    for i in attrs:
         if i.startswith('_'):
             raise AttributeError(
                 'attempt to access private attribute "%s"' % i
@@ -206,7 +216,7 @@
         self.instance = None
         SocketServer.TCPServer.__init__(self, addr, requestHandler)
 
-    def register_instance(self, instance):
+    def register_instance(self, instance, allow_dotted_names=False):
         """Registers an instance to respond to XML-RPC requests.
 
         Only one instance can be installed at a time.
@@ -225,9 +235,23 @@
 
         If a registered function matches a XML-RPC request, then it
         will be called instead of the registered instance.
+
+        If the optional allow_dotted_names argument is true and the
+        instance does not have a _dispatch method, method names
+        containing dots are supported and resolved, as long as none of
+        the name segments start with an '_'.
+
+            *** SECURITY WARNING: ***
+
+            Enabling the allow_dotted_names options allows intruders
+            to access your module's global variables and may allow
+            intruders to execute arbitrary code on your machine.  Only
+            use this option on a secure, closed network.
+
         """
 
         self.instance = instance
+        self.allow_dotted_names = allow_dotted_names
 
     def register_function(self, function, name = None):
         """Registers a function to respond to XML-RPC requests.

Return to bug 77079

Line 0 Link Here

(-)python22/files/patch-Lib::SimpleXMLRPCServer.py (+68 lines)
		1	--- Lib/SimpleXMLRPCServer.py.orig Sat Sep 29 01:54:33 2001
		2	+++ Lib/SimpleXMLRPCServer.py Thu Feb 3 20:07:10 2005
		3	@@ -161,7 +161,8 @@
		4	try:
		5	func = _resolve_dotted_attribute(
		6	self.server.instance,
		7	- method
		8	+ method,
		9	+ self.allow_dotted_names
		10	)
		11	except AttributeError:
		12	pass
		13	@@ -178,11 +179,20 @@
		14	BaseHTTPServer.BaseHTTPRequestHandler.log_request(self, code, size)
		15
		16
		17	-def _resolve_dotted_attribute(obj, attr):
		18	+def _resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
		19	"""Resolves a dotted attribute name to an object. Raises
		20	an AttributeError if any attribute in the chain starts with a '_'.
		21	+
		22	+ If the optional allow_dotted_names argument is false, dots are not
		23	+ supported and this function operates similar to getattr(obj, attr).
		24	"""
		25	- for i in attr.split('.'):
		26	+
		27	+ if allow_dotted_names:
		28	+ attrs = attr.split('.')
		29	+ else:
		30	+ attrs = [attr]
		31	+
		32	+ for i in attrs:
		33	if i.startswith('_'):
		34	raise AttributeError(
		35	'attempt to access private attribute "%s"' % i
		36	@@ -206,7 +216,7 @@
		37	self.instance = None
		38	SocketServer.TCPServer.__init__(self, addr, requestHandler)
		39
		40	- def register_instance(self, instance):
		41	+ def register_instance(self, instance, allow_dotted_names=False):
		42	"""Registers an instance to respond to XML-RPC requests.
		43
		44	Only one instance can be installed at a time.
		45	@@ -225,9 +235,23 @@
		46
		47	If a registered function matches a XML-RPC request, then it
		48	will be called instead of the registered instance.
		49	+
		50	+ If the optional allow_dotted_names argument is true and the
		51	+ instance does not have a _dispatch method, method names
		52	+ containing dots are supported and resolved, as long as none of
		53	+ the name segments start with an '_'.
		54	+
		55	+ * SECURITY WARNING: *
		56	+
		57	+ Enabling the allow_dotted_names options allows intruders
		58	+ to access your module's global variables and may allow
		59	+ intruders to execute arbitrary code on your machine. Only
		60	+ use this option on a secure, closed network.
		61	+
		62	"""
		63
		64	self.instance = instance
65	+ self.allow_dotted_names = allow_dotted_names
66
67	def register_function(self, function, name = None):
68	"""Registers a function to respond to XML-RPC requests.