Mercurial > p > roundup > code
changeset 7472:db58a86aa29d
Redo headers. Elevete lack of ssl to caution.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 08 Jun 2023 09:01:17 -0400 |
| parents | a4987f5ebee0 |
| children | f8b5b0310f88 |
| files | doc/xmlrpc.txt |
| diffstat | 1 files changed, 22 insertions(+), 16 deletions(-) [+] |
line wrap: on
line diff
--- a/doc/xmlrpc.txt Thu Jun 08 01:33:16 2023 -0400 +++ b/doc/xmlrpc.txt Thu Jun 08 09:01:17 2023 -0400 @@ -14,7 +14,8 @@ :local: Introduction ------------- +============ + Version 1.4 of Roundup includes an XML-RPC frontend for remote access. The XML-RPC interface allows a limited subset of commands similar to those found in local `roundup-admin` tool. @@ -27,8 +28,8 @@ http://localhost:8917/demo/xmlrpc -Enabling XML-RPC server ------------------------ +Enabling XML-RPC +================ There are two ways to run the XML-RPC interface: through roundup itself @@ -36,8 +37,9 @@ stand alone roundup-xmlrpc-server -through roundup +Through Roundup --------------- + The XML-RPC service is available from the roundup HTTP server under /xmlrpc. @@ -53,9 +55,10 @@ This is usually included near where other permissions like "Web Access" or "Email Access" are assigned. -stand alone roundup-xmlrpc-server ---------------------------------- -Using roundup to access the xmlrpc interface is preferred. Roundup +Standalone roundup-xmlrpc-server +-------------------------------- + +Using Roundup to access the xmlrpc interface is preferred. Roundup provides better control over who can use the interface. The Roundup XML-RPC standalone server must be started before remote @@ -69,21 +72,24 @@ The default port is ``8000``. An alternative port can be specified with the ``--port`` switch. -security consideration ----------------------- +Security Consideration +====================== + Both the standalone and embedded roundup XML endpoints used the default python XML parser. This parser is know to have security issues. For details see: https://pypi.org/project/defusedxml/. You may wish to use the rest interface which doesn't have the same issues. Patches with tests to roundup to use defusedxml are welcome. -Note that the current ``roundup-xmlrpc-server`` implementation does -not support SSL. This means that usernames and passwords will be -passed in cleartext unless the server is being proxied behind another -server (such as Apache or lighttpd) that provide SSL. +.. caution:: + + The current ``roundup-xmlrpc-server`` implementation does not support + SSL. This means that usernames and passwords will be passed in + cleartext unless the server is being proxied behind another server + (such as Apache or lighttpd) that provide SSL. Client API ----------- +========== The server currently implements seven methods/commands. Each method requires that the user provide a username and password in the HTTP authorization header in order to authenticate the request against the @@ -137,7 +143,7 @@ :ref:`query-tracker`. ======= ==================================================================== -sample python client +Sample Python Client ==================== This client will work if you turn off the x-requested-with header and @@ -171,7 +177,7 @@ >>> roundup_server.lookup('user','admin') '1' -advanced python client adding anti-csrf headers +Advanced Python Client Adding anti-csrf Headers =============================================== The one below adds Referer and X-Requested-With headers so it can pass