XML200¶
Enabling the allow_dotted_names option allows intruders to access your module’s global variables and may allow intruders to execute arbitrary code on your machine.
Example¶
from xmlrpc.server import SimpleXMLRPCServer
with SimpleXMLRPCServer(('0.0.0.0', 8000),) as server:
class MyFuncs:
def mul(self, x, y):
return x * y
server.register_instance(MyFuncs(), allow_dotted_names=True) # This is bad!
# Run the server's main loop
server.serve_forever()
Fixes¶
- Disable this option
- Only use within a secure, local network