Issue 1473048: SimpleXMLRPCServer responds to any path (original) (raw)

Issue1473048

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification

Title:	SimpleXMLRPCServer responds to any path
Type:	Stage:
Components:	Library (Lib)	Versions:

process

Status:	closed	Resolution:	accepted
Dependencies:		Superseder:
Assigned To:	akuchling	Nosy List:	akuchling
Priority:	normal	Keywords:

Created on 2006-04-19 15:45 by akuchling, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
xmlrpc.patch	akuchling,2006-04-26 12:42	Patch to check path information

Messages (3)
msg28312 - (view)	Author: A.M. Kuchling (akuchling) *	Date: 2006-04-19 15:45
SimpleXMLRPCServer and DocXMLRPCServer don't look at the path of the HTTP request at all; you can POST or GET from / or /RPC2 or /blahblahblah with the same results. One minor problem with this liberality is that a security scanner that looks for vulnerable scripts such as /cgi-bin/phf will report the server as vulnerable. Nessus, for example, reports dozens of security holes on a SimpleXMLRPCServer for this reason. Fix: add a check that only allows '/' or '/RPC2' (maybe just /RPC2?).
msg28313 - (view)	Author: A.M. Kuchling (akuchling) *	Date: 2006-04-26 12:42
Logged In: YES user_id=11375 The attached patch adds a .rpc_paths attribute that's a tuple of legal paths, and a .is_rpc_path_valid() method that returns True if a path is OK. A .report_404() method generates a 404 error message, and SimpleXMLRPCServer and DocXMLRPCServer are modified to check for legal paths. (Perhaps it should be ._report_404?)
msg28314 - (view)	Author: A.M. Kuchling (akuchling) *	Date: 2006-05-31 14:13
Logged In: YES user_id=11375 I've applied this patch in rev. 46578.