Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
SUSE:SLE-12:Update
python3-base.23342
CVE-2019-16935-xmlrpc-doc-server_title.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-16935-xmlrpc-doc-server_title.patch of Package python3-base.23342
From fa849a1cfe9d1f65a7e0f9030ab057cee3589f10 Mon Sep 17 00:00:00 2001 From: Dong-hee Na <donghee.na92@gmail.com> Date: Sat, 28 Sep 2019 04:59:37 +0900 Subject: [PATCH] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) Escape the server title of xmlrpc.server.DocXMLRPCServer when rendering the document page as HTML. (cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa) --- Lib/test/test_docxmlrpc.py | 16 ++++++++++++++++ Lib/xmlrpc/server.py | 3 ++- .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++ 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst --- a/Lib/test/test_docxmlrpc.py +++ b/Lib/test/test_docxmlrpc.py @@ -1,5 +1,6 @@ from xmlrpc.server import DocXMLRPCServer import http.client +import re import sys import unittest from test import support @@ -196,6 +197,21 @@ class DocXMLRPCHTTPGETServer(unittest.Te b'method_annotation</strong></a>(x: bytes)</dt></dl>'), response.read()) + def test_server_title_escape(self): + # bpo-38243: Ensure that the server title and documentation + # are escaped for HTML. + self.serv.set_server_title('test_title<script>') + self.serv.set_server_documentation('test_documentation<script>') + self.assertEqual('test_title<script>', self.serv.server_title) + self.assertEqual('test_documentation<script>', + self.serv.server_documentation) + + # generated = self.serv.generate_html_documentation() + # title = re.search(r'<title>(.+?)</title>', generated).group() + # documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group() + # self.assertEqual('<title>Python: test_title<script></title>', title) + # self.assertEqual('<p><tt>test_documentation<script></tt></p>', documentation) + def test_main(): support.run_unittest(DocXMLRPCHTTPGETServer) --- a/Lib/xmlrpc/server.py +++ b/Lib/xmlrpc/server.py @@ -106,6 +106,7 @@ server.handle_request() from xmlrpc.client import Fault, dumps, loads, gzip_encode, gzip_decode from http.server import BaseHTTPRequestHandler +import html import http.server import socketserver import sys @@ -887,7 +888,7 @@ class XMLRPCDocGenerator: methods ) - return documenter.page(self.server_title, documentation) + return documenter.page(html.escape(self.server_title), documentation) class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler): """XML-RPC and documentation request handler class. --- /dev/null +++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst @@ -0,0 +1,3 @@ +Escape the server title of :class:`xmlrpc.server.DocXMLRPCServer` +when rendering the document page as HTML. +(Contributed by Dong-hee Na in :issue:`38243`.)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
