Mercurial > p > roundup > code

view roundup/anypy/xmlrpc_.py @ 8356:63390dcfcfe9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
bug: fix template use of structure with untrusted data Looks like an xSS bug with an early version of the template that was fixed in the code but never in the deployed tracker. It has been a while since this particular construct has been in the classic template which is the base for the tracker. This has been fixed on the deployed tracker as well. reported by 4bug of ChaMd5 Security Team H1 Group
author John Rouillard <rouilj@ieee.org>
date Tue, 08 Jul 2025 10:23:09 -0400
parents 05405220dc38
children
line wrap: on
line source

try:
    # Python 3+.
    from xmlrpc import client, server
    # If client.defusedxml == False, client.py will warn that
    # xmlrpc is insecure and defusedxml should be installed.
    client.defusedxml = False
    try:
        from defusedxml import xmlrpc
        xmlrpc.monkey_patch()
        # figure out how to allow user to set xmlrpc.MAX_DATA = bytes
        client.defusedxml = True
    except ImportError:
        # use regular xmlrpc with warnings
        pass

    server.SimpleXMLRPCDispatcher  # noqa: B018
except (ImportError, AttributeError):
    # Python 2.
    import SimpleXMLRPCServer as server
    import xmlrpclib as client  # noqa: F401
    client.defusedxml = False
Roundup Issue Tracker: http://roundup-tracker.org/