From: Dong-hee Na <donghee.na92@gmail.com>
Date: Fri, 27 Sep 2019 19:59:37 +0000 (+0900)
Subject: [CVE-2019-16935] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
X-Git-Tag: submit/tizen_6.0_base/20210521.062029~3
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=b120bc9b46addd7e6e506c4c2f82b30f8c2278a3;p=platform%2Fupstream%2Fpython3.git

[CVE-2019-16935] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)

Escape the server title of xmlrpc.server.DocXMLRPCServer
when rendering the document page as HTML.

Change-Id: I37a51f9deb2f7ade15fdf30c9bee75ea7a75275a
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
---

diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py
index f1c467eb..32aba4df 100644
--- a/Lib/xmlrpc/server.py
+++ b/Lib/xmlrpc/server.py
@@ -108,6 +108,7 @@ from xmlrpc.client import Fault, dumps, loads, gzip_encode, gzip_decode
 from http.server import BaseHTTPRequestHandler
 from functools import partial
 from inspect import signature
+import html
 import http.server
 import socketserver
 import sys
@@ -894,7 +895,7 @@ class XMLRPCDocGenerator:
                                 methods
                             )
 
-        return documenter.page(self.server_title, documentation)
+        return documenter.page(html.escape(self.server_title), documentation)
 
 class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
     """XML-RPC and documentation request handler class.