Commit Graph

8 Commits

Author SHA1 Message Date
Georg Brandl 6113ce51b3 Two fixes in DocXMLRPCServer:
* remove parameter default that didn't make sense
* properly escape values in output
Thanks to Jeff Wheeler from GHOP!
2007-12-09 21:15:07 +00:00
Collin Winter ae04106a0e Patch #1599845: Add an option to disable the implicit calls to server_bind() and server_activate() in the constructors for TCPServer, SimpleXMLRPCServer and DocXMLRPCServer. 2007-03-10 14:41:48 +00:00
Andrew M. Kuchling 622f144175 [Bug #1473048]
SimpleXMLRPCServer and DocXMLRPCServer don't look at
the path of the HTTP request at all; you can POST or
GET from / or /RPC2 or /blahblahblah with the same results.
Security scanners that look for /cgi-bin/phf will therefore report
lots of vulnerabilities.

Fix: add a .rpc_paths attribute to the SimpleXMLRPCServer class,
and report a 404 error if the path isn't on the allowed list.

Possibly-controversial aspect of this change: the default makes only
'/' and '/RPC2' legal.  Maybe this will break people's applications
(though I doubt it).  We could just set the default to an empty tuple,
which would exactly match the current behaviour.
2006-05-31 14:08:48 +00:00
Raymond Hettinger f715366f23 Reduce the usage of the types module. 2005-02-07 14:16:21 +00:00
Andrew M. Kuchling 33ad28b68d Use multi-line import 2004-08-31 11:38:12 +00:00
Martin v. Löwis 9c5ea50c25 Patch #727805: Remove extra line ending from CGI responses. 2003-05-01 05:05:09 +00:00
Tim Peters 0eadaac7dc Whitespace normalization. 2003-04-24 16:02:54 +00:00
Martin v. Löwis 281b2c6211 Patch #536883: SimpleXMLRPCServer auto-docing subclass. 2003-04-18 21:04:39 +00:00