[CVE-2019-16935] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)

Escape the server title of xmlrpc.server.DocXMLRPCServer
when rendering the document page as HTML.

Change-Id: I37a51f9deb2f7ade15fdf30c9bee75ea7a75275a
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>

diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py
index f1c467eb1b2b87c2e76a46b745985831d67c7acb..32aba4df4c7eb5edc473b0a5cba6068ca3f61ee0 100644 (file)
--- a/Lib/xmlrpc/server.py
+++ b/Lib/xmlrpc/server.py
@@ -108,6 +108,7 @@ from xmlrpc.client import Fault, dumps, loads, gzip_encode, gzip_decode
 from http.server import BaseHTTPRequestHandler
 from functools import partial
 from inspect import signature
+import html
 import http.server
 import socketserver
 import sys
@@ -894,7 +895,7 @@ class XMLRPCDocGenerator:
                                 methods
                             )
 
-        return documenter.page(self.server_title, documentation)
+        return documenter.page(html.escape(self.server_title), documentation)
 
 class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
     """XML-RPC and documentation request handler class.