From b120bc9b46addd7e6e506c4c2f82b30f8c2278a3 Mon Sep 17 00:00:00 2001
From: Dong-hee Na <donghee.na92@gmail.com>
Date: Sat, 28 Sep 2019 04:59:37 +0900
Subject: [PATCH] [CVE-2019-16935] bpo-38243, xmlrpc.server: Escape the
 server_title (GH-16373)

Escape the server title of xmlrpc.server.DocXMLRPCServer
when rendering the document page as HTML.

Change-Id: I37a51f9deb2f7ade15fdf30c9bee75ea7a75275a
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
---
 Lib/xmlrpc/server.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py
index f1c467eb..32aba4df 100644
--- a/Lib/xmlrpc/server.py
+++ b/Lib/xmlrpc/server.py
@@ -108,6 +108,7 @@ from xmlrpc.client import Fault, dumps, loads, gzip_encode, gzip_decode
 from http.server import BaseHTTPRequestHandler
 from functools import partial
 from inspect import signature
+import html
 import http.server
 import socketserver
 import sys
@@ -894,7 +895,7 @@ class XMLRPCDocGenerator:
                                 methods
                             )
 
-        return documenter.page(self.server_title, documentation)
+        return documenter.page(html.escape(self.server_title), documentation)
 
 class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
     """XML-RPC and documentation request handler class.
-- 
2.34.1