that allows sending back exception/stack trace information about
internal server errors (this flag defaults to False to avoid sending
such information unless explicitly enabled). Added tests to verify
behavior of this new feature (these tests are skipped on win32 because
of problems with WSAEWOULDBLOCK). Renamed HTTPTestCase to
SimpleServerTestCase. [GSoC - Alan McIntyre]
SimpleXMLRPCServer and DocXMLRPCServer don't look at
the path of the HTTP request at all; you can POST or
GET from / or /RPC2 or /blahblahblah with the same results.
Security scanners that look for /cgi-bin/phf will therefore report
lots of vulnerabilities.
Fix: add a .rpc_paths attribute to the SimpleXMLRPCServer class,
and report a 404 error if the path isn't on the allowed list.
Possibly-controversial aspect of this change: the default makes only
'/' and '/RPC2' legal. Maybe this will break people's applications
(though I doubt it). We could just set the default to an empty tuple,
which would exactly match the current behaviour.
asked to read tens of megabytes of data. On my Mac, it hits MemoryErrors
when reading around 15Mb in one chunk. The fix is to read the body in several
parts, not as one big piece.
It would be nice to fix the underlying socket.read() problem, too.
2.4 bugfix candidate.