Mercurial > p > roundup > code
changeset 6026:e2b70d43d0fc
Document issues with xmlrpc security of python built in libraries
Added note to changes with better description and link to defusedxml
in the xmlrpc doc.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Fri, 03 Jan 2020 19:22:54 -0500 |
| parents | 106f4384688b |
| children | ff57db595a58 |
| files | CHANGES.txt doc/xmlrpc.txt |
| diffstat | 2 files changed, 19 insertions(+), 11 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Thu Jan 02 21:04:21 2020 -0500 +++ b/CHANGES.txt Fri Jan 03 19:22:54 2020 -0500 @@ -70,6 +70,7 @@ is used. Fixed three places where the value of a hidden @action input field was translated. (Reported by Ludwig Reiter. John Rouillard) +- Document security issues in xmlrpc interface in doc/xmlrpc.txt. 2019-10-23 2.0.0 alpha 0
--- a/doc/xmlrpc.txt Thu Jan 02 21:04:21 2020 -0500 +++ b/doc/xmlrpc.txt Fri Jan 03 19:22:54 2020 -0500 @@ -50,10 +50,11 @@ Using roundup to access the xmlrpc interface is preferred. Roundup provides better control over who can use the interface. -The Roundup XML-RPC standalone server must be started before remote clients can access the -tracker via XML-RPC. ``roundup-xmlrpc-server`` is installed in the scripts -directory alongside ``roundup-server`` and roundup-admin``. When invoked, the -location of the tracker instance must be specified. +The Roundup XML-RPC standalone server must be started before remote +clients can access the tracker via XML-RPC. ``roundup-xmlrpc-server`` +is installed in the scripts directory alongside ``roundup-server`` and +``roundup-admin``. When invoked, the location of the tracker instance +must be specified. roundup-xmlrpc-server -i ``/path/to/tracker`` @@ -62,17 +63,23 @@ security consideration ---------------------- -Note that the current ``roundup-xmlrpc-server`` implementation does not -support SSL. This means that usernames and passwords will be passed in -cleartext unless the server is being proxied behind another server (such as -Apache or lighttpd) that provide SSL. +Both the standalone and embedded roundup XML endpoints used the +default python XML parser. This parser is know to have security +issues. For details see: https://pypi.python.org/pypi/defusedxml/. +You may wish to use the rest interface which doesn't have the same +issues. Patches with tests to roundup to use defusedxml are welcome. +Note that the current ``roundup-xmlrpc-server`` implementation does +not support SSL. This means that usernames and passwords will be +passed in cleartext unless the server is being proxied behind another +server (such as Apache or lighttpd) that provide SSL. Client API ---------- -The server currently implements four methods. Each method requires that the -user provide a username and password in the HTTP authorization header in order -to authenticate the request against the tracker. +The server currently implements four methods. Each method requires +that the user provide a username and password in the HTTP +authorization header in order to authenticate the request against the +tracker. ======= ==================================================================== Command Description