From 6cc00de451b334f69c0ca8ffda71ab33421ec07e Mon Sep 17 00:00:00 2001 From: Dong-hee Na Date: Tue, 1 Oct 2019 19:58:01 +0900 Subject: [PATCH] [CVE-2019-16935] bpo-38243: Escape the server title of DocXMLRPCServer (GH-16447) Escape the server title of DocXMLRPCServer.DocXMLRPCServer when rendering the document page as HTML. Change-Id: Id7e5a2c440b9a2e9bc832bd321740ce0c1581edf Signed-off-by: DongHun Kwak --- Lib/DocXMLRPCServer.py | 13 ++++++++++++- Lib/test/test_docxmlrpc.py | 20 ++++++++++++++++++++ .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++ 3 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py index 4064ec2..90b037d 100644 --- a/Lib/DocXMLRPCServer.py +++ b/Lib/DocXMLRPCServer.py @@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXMLRPCServer, CGIXMLRPCRequestHandler, resolve_dotted_attribute) + +def _html_escape_quote(s): + s = s.replace("&", "&") # Must be done first! + s = s.replace("<", "<") + s = s.replace(">", ">") + s = s.replace('"', """) + s = s.replace('\'', "'") + return s + + class ServerHTMLDoc(pydoc.HTMLDoc): """Class used to generate pydoc HTML document for a server""" @@ -210,7 +220,8 @@ class XMLRPCDocGenerator: methods ) - return documenter.page(self.server_title, documentation) + title = _html_escape_quote(self.server_title) + return documenter.page(title, documentation) class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler): """XML-RPC and documentation request handler class. diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py index 4dff415..c45b892 100644 --- a/Lib/test/test_docxmlrpc.py +++ b/Lib/test/test_docxmlrpc.py @@ -1,5 +1,6 @@ from DocXMLRPCServer import DocXMLRPCServer import httplib +import re import sys from test import test_support threading = test_support.import_module('threading') @@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase): self.assertIn("""Try self.add, too.""", response.read()) + def test_server_title_escape(self): + """Test that the server title and documentation + are escaped for HTML. + """ + self.serv.set_server_title('test_title