SimpleXMLRPCServer and DocXMLRPCServer don't look at
the path of the HTTP request at all; you can POST or
GET from / or /RPC2 or /blahblahblah with the same results.
Security scanners that look for /cgi-bin/phf will therefore report
lots of vulnerabilities.
Fix: add a .rpc_paths attribute to the SimpleXMLRPCServer class,
and report a 404 error if the path isn't on the allowed list.
Possibly-controversial aspect of this change: the default makes only
'/' and '/RPC2' legal. Maybe this will break people's applications
(though I doubt it). We could just set the default to an empty tuple,
which would exactly match the current behaviour.
this is the right way to document such things (Fred, help me out here :-),
but I got misled by the existing documentation and assumed the parameter
list was a *args sort of thing.
Gregory P. Smith
Andrew M. Kuchling
Fredrik Lundh
Walter Dörwald
Guido van Rossum
Skip Montanaro
Fred Drake
Martin v. Löwis