Mercurial > p > roundup > code

diff doc/xmlrpc.txt @ 6026:e2b70d43d0fc

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Document issues with xmlrpc security of python built in libraries Added note to changes with better description and link to defusedxml in the xmlrpc doc.
author John Rouillard <rouilj@ieee.org>
date Fri, 03 Jan 2020 19:22:54 -0500
parents 94a7669677ae
children 81ae33038ec5
line wrap: on
line diff
--- a/doc/xmlrpc.txt	Thu Jan 02 21:04:21 2020 -0500
+++ b/doc/xmlrpc.txt	Fri Jan 03 19:22:54 2020 -0500
@@ -50,10 +50,11 @@
 Using roundup to access the xmlrpc interface is preferred. Roundup
 provides better control over who can use the interface.
 
-The Roundup XML-RPC standalone server must be started before remote clients can access the
-tracker via XML-RPC. ``roundup-xmlrpc-server`` is installed in the scripts
-directory alongside ``roundup-server`` and roundup-admin``. When invoked, the
-location of the tracker instance must be specified.
+The Roundup XML-RPC standalone server must be started before remote
+clients can access the tracker via XML-RPC. ``roundup-xmlrpc-server``
+is installed in the scripts directory alongside ``roundup-server`` and
+``roundup-admin``. When invoked, the location of the tracker instance
+must be specified.
 
 	roundup-xmlrpc-server -i ``/path/to/tracker``
 
@@ -62,17 +63,23 @@
 
 security consideration
 ----------------------
-Note that the current ``roundup-xmlrpc-server`` implementation does not
-support SSL. This means that usernames and passwords will be passed in
-cleartext unless the server is being proxied behind another server (such as
-Apache or lighttpd) that provide SSL.
+Both the standalone and embedded roundup XML endpoints used the
+default python XML parser. This parser is know to have security
+issues. For details see: https://pypi.python.org/pypi/defusedxml/.
+You may wish to use the rest interface which doesn't have the same
+issues. Patches with tests to roundup to use defusedxml are welcome.
 
+Note that the current ``roundup-xmlrpc-server`` implementation does
+not support SSL. This means that usernames and passwords will be
+passed in cleartext unless the server is being proxied behind another
+server (such as Apache or lighttpd) that provide SSL.
 
 Client API
 ----------
-The server currently implements four methods. Each method requires that the
-user provide a username and password in the HTTP authorization header in order
-to authenticate the request against the tracker.
+The server currently implements four methods. Each method requires
+that the user provide a username and password in the HTTP
+authorization header in order to authenticate the request against the
+tracker.
 
 ======= ====================================================================
 Command Description
Roundup Issue Tracker: http://roundup-tracker.org/