Mercurial > p > roundup > code

view roundup/anypy/xmlrpc_.py @ 8365:4ac0bbb3e440

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
bug(security): CVE-2025-53865 - XSS bug Extensive fixes in devel, responsive templates known to be exploitable. Similar constructs in classic and minimal templates not known to be exploitable, but changed anyway. doc/upgrading.txt: Reformat to 66 characters. Update with assigned CVE number. Add section on fixing tal:replace with unsafe data. Document analysis and assumptions in comment in file. doc/security.txt: Update with CVE number.
author John Rouillard <rouilj@ieee.org>
date Fri, 11 Jul 2025 19:30:27 -0400
parents 05405220dc38
children
line wrap: on
line source

try:
    # Python 3+.
    from xmlrpc import client, server
    # If client.defusedxml == False, client.py will warn that
    # xmlrpc is insecure and defusedxml should be installed.
    client.defusedxml = False
    try:
        from defusedxml import xmlrpc
        xmlrpc.monkey_patch()
        # figure out how to allow user to set xmlrpc.MAX_DATA = bytes
        client.defusedxml = True
    except ImportError:
        # use regular xmlrpc with warnings
        pass

    server.SimpleXMLRPCDispatcher  # noqa: B018
except (ImportError, AttributeError):
    # Python 2.
    import SimpleXMLRPCServer as server
    import xmlrpclib as client  # noqa: F401
    client.defusedxml = False
Roundup Issue Tracker: http://roundup-tracker.org/