Mercurial > p > roundup > code
annotate roundup/anypy/xmlrpc_.py @ 8356:63390dcfcfe9
bug: fix template use of structure with untrusted data
Looks like an xSS bug with an early version of the template that was
fixed in the code but never in the deployed tracker. It has been a
while since this particular construct has been in the classic template
which is the base for the tracker.
This has been fixed on the deployed tracker as well.
reported by 4bug of ChaMd5 Security Team H1 Group
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 08 Jul 2025 10:23:09 -0400 |
| parents | 05405220dc38 |
| children |
| rev | line source |
|---|---|
|
5408
e46ce04d5bbc
Python 3 preparation: update xmlrpclib / SimpleXMLRPCServer imports.
Joseph Myers <jsm@polyomino.org.uk>
parents:
diff
changeset
|
1 try: |
|
e46ce04d5bbc
Python 3 preparation: update xmlrpclib / SimpleXMLRPCServer imports.
Joseph Myers <jsm@polyomino.org.uk>
parents:
diff
changeset
|
2 # Python 3+. |
|
e46ce04d5bbc
Python 3 preparation: update xmlrpclib / SimpleXMLRPCServer imports.
Joseph Myers <jsm@polyomino.org.uk>
parents:
diff
changeset
|
3 from xmlrpc import client, server |
|
8237
57325fea9982
issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents:
7829
diff
changeset
|
4 # If client.defusedxml == False, client.py will warn that |
|
57325fea9982
issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents:
7829
diff
changeset
|
5 # xmlrpc is insecure and defusedxml should be installed. |
|
8238
05405220dc38
issue2551116 - difusedxml support - python2 fixups.
John Rouillard <rouilj@ieee.org>
parents:
8237
diff
changeset
|
6 client.defusedxml = False |
|
8237
57325fea9982
issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents:
7829
diff
changeset
|
7 try: |
|
57325fea9982
issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents:
7829
diff
changeset
|
8 from defusedxml import xmlrpc |
|
57325fea9982
issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents:
7829
diff
changeset
|
9 xmlrpc.monkey_patch() |
|
57325fea9982
issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents:
7829
diff
changeset
|
10 # figure out how to allow user to set xmlrpc.MAX_DATA = bytes |
|
8238
05405220dc38
issue2551116 - difusedxml support - python2 fixups.
John Rouillard <rouilj@ieee.org>
parents:
8237
diff
changeset
|
11 client.defusedxml = True |
|
8237
57325fea9982
issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents:
7829
diff
changeset
|
12 except ImportError: |
|
57325fea9982
issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents:
7829
diff
changeset
|
13 # use regular xmlrpc with warnings |
|
57325fea9982
issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents:
7829
diff
changeset
|
14 pass |
|
57325fea9982
issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
John Rouillard <rouilj@ieee.org>
parents:
7829
diff
changeset
|
15 |
|
8238
05405220dc38
issue2551116 - difusedxml support - python2 fixups.
John Rouillard <rouilj@ieee.org>
parents:
8237
diff
changeset
|
16 server.SimpleXMLRPCDispatcher # noqa: B018 |
|
5552
db10c0a1f338
Fix xmlrpc module selection for incomplete backport (issue2551010).
Gabi <gabriele.roeger@unibas.ch>
parents:
5408
diff
changeset
|
17 except (ImportError, AttributeError): |
|
5408
e46ce04d5bbc
Python 3 preparation: update xmlrpclib / SimpleXMLRPCServer imports.
Joseph Myers <jsm@polyomino.org.uk>
parents:
diff
changeset
|
18 # Python 2. |
| 7829 | 19 import SimpleXMLRPCServer as server |
|
6049
99d4fb22aa65
flake8 fixes: ignore import unused in python3.
John Rouillard <rouilj@ieee.org>
parents:
5552
diff
changeset
|
20 import xmlrpclib as client # noqa: F401 |
|
8238
05405220dc38
issue2551116 - difusedxml support - python2 fixups.
John Rouillard <rouilj@ieee.org>
parents:
8237
diff
changeset
|
21 client.defusedxml = False |