Mercurial > p > roundup > code
comparison doc/xmlrpc.txt @ 6026:e2b70d43d0fc
Document issues with xmlrpc security of python built in libraries
Added note to changes with better description and link to defusedxml
in the xmlrpc doc.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Fri, 03 Jan 2020 19:22:54 -0500 |
| parents | 94a7669677ae |
| children | 81ae33038ec5 |
comparison
equal
deleted
inserted
replaced
| 6025:106f4384688b | 6026:e2b70d43d0fc |
|---|---|
| 48 stand alone roundup-xmlrpc-server | 48 stand alone roundup-xmlrpc-server |
| 49 --------------------------------- | 49 --------------------------------- |
| 50 Using roundup to access the xmlrpc interface is preferred. Roundup | 50 Using roundup to access the xmlrpc interface is preferred. Roundup |
| 51 provides better control over who can use the interface. | 51 provides better control over who can use the interface. |
| 52 | 52 |
| 53 The Roundup XML-RPC standalone server must be started before remote clients can access the | 53 The Roundup XML-RPC standalone server must be started before remote |
| 54 tracker via XML-RPC. ``roundup-xmlrpc-server`` is installed in the scripts | 54 clients can access the tracker via XML-RPC. ``roundup-xmlrpc-server`` |
| 55 directory alongside ``roundup-server`` and roundup-admin``. When invoked, the | 55 is installed in the scripts directory alongside ``roundup-server`` and |
| 56 location of the tracker instance must be specified. | 56 ``roundup-admin``. When invoked, the location of the tracker instance |
| 57 must be specified. | |
| 57 | 58 |
| 58 roundup-xmlrpc-server -i ``/path/to/tracker`` | 59 roundup-xmlrpc-server -i ``/path/to/tracker`` |
| 59 | 60 |
| 60 The default port is ``8000``. An alternative port can be specified with the | 61 The default port is ``8000``. An alternative port can be specified with the |
| 61 ``--port`` switch. | 62 ``--port`` switch. |
| 62 | 63 |
| 63 security consideration | 64 security consideration |
| 64 ---------------------- | 65 ---------------------- |
| 65 Note that the current ``roundup-xmlrpc-server`` implementation does not | 66 Both the standalone and embedded roundup XML endpoints used the |
| 66 support SSL. This means that usernames and passwords will be passed in | 67 default python XML parser. This parser is know to have security |
| 67 cleartext unless the server is being proxied behind another server (such as | 68 issues. For details see: https://pypi.python.org/pypi/defusedxml/. |
| 68 Apache or lighttpd) that provide SSL. | 69 You may wish to use the rest interface which doesn't have the same |
| 69 | 70 issues. Patches with tests to roundup to use defusedxml are welcome. |
| 71 | |
| 72 Note that the current ``roundup-xmlrpc-server`` implementation does | |
| 73 not support SSL. This means that usernames and passwords will be | |
| 74 passed in cleartext unless the server is being proxied behind another | |
| 75 server (such as Apache or lighttpd) that provide SSL. | |
| 70 | 76 |
| 71 Client API | 77 Client API |
| 72 ---------- | 78 ---------- |
| 73 The server currently implements four methods. Each method requires that the | 79 The server currently implements four methods. Each method requires |
| 74 user provide a username and password in the HTTP authorization header in order | 80 that the user provide a username and password in the HTTP |
| 75 to authenticate the request against the tracker. | 81 authorization header in order to authenticate the request against the |
| 82 tracker. | |
| 76 | 83 |
| 77 ======= ==================================================================== | 84 ======= ==================================================================== |
| 78 Command Description | 85 Command Description |
| 79 ======= ==================================================================== | 86 ======= ==================================================================== |
| 80 schema | 87 schema |