Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion Lib/test/test_xmlrpc.py
Original file line number Diff line number Diff line change
Expand Up @@ -1338,6 +1338,21 @@ def get(self, key, failobj=None):
return 'I am broken'
return super().get(key, failobj)

class FailingThrowProtocol(unittest.TestCase):
def setUp(self):
self.url = 'https://user:[email protected]'

def test_throw_protocol_error(self):
try:
with xmlrpclib.ServerProxy(self.url) as p:
p.pow(6,8)
except (xmlrpclib.ProtocolError, OSError) as e:
if not is_unavailable_exception(e) and hasattr(e, "headers"):
uinfo = e.url.split('@')[0]
passwd = uinfo.split(':')[1]
self.assertTrue(passwd == 'xxx')
else:
self.fail('ProtocolError not raised')

class FailingServerTestCase(unittest.TestCase):
def setUp(self):
Expand Down Expand Up @@ -1382,7 +1397,6 @@ def test_basic(self):
def test_fail_no_info(self):
# use the broken message class
xmlrpc.server.SimpleXMLRPCRequestHandler.MessageClass = FailingMessageClass

try:
p = xmlrpclib.ServerProxy(URL)
p.pow(6,8)
Expand Down
3 changes: 2 additions & 1 deletion Lib/xmlrpc/client.py
Original file line number Diff line number Diff line change
Expand Up @@ -1167,8 +1167,9 @@ def single_request(self, host, handler, request_body, verbose=False):
#Discard any response data and raise exception
if resp.getheader("content-length", ""):
resp.read()
uname = f'{host.split(':')[0]}@{host.split('@')[1]}'
raise ProtocolError(
host + handler,
uname + handler,
resp.status, resp.reason,
dict(resp.getheaders())
)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Fixed a security issue where a ``ProtocolError`` raised by
:meth:`xmlrpc.client.Transport.send_request`` in the :mod:`xmlrpc.client` could lead
to password leaks.
Loading