>>> import xmlrpc.client
>>> xmlrpc.client.ServerProxy('https://login:password@example.com')
<ServerProxy for login:password@example.com/RPC2>
Because this repr is included in error messages, this can lead to leaking the password:
>>> xmlrpc.client.ServerProxy('https://login:password@example.com').method()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.7/xmlrpc/client.py", line 1112, in __call__
return self.__send(self.__name, args)
File "/usr/lib/python3.7/xmlrpc/client.py", line 1452, in __request
verbose=self.__verbose
File "/usr/lib/python3.7/xmlrpc/client.py", line 1154, in request
return self.single_request(host, handler, request_body, verbose)
File "/usr/lib/python3.7/xmlrpc/client.py", line 1187, in single_request
dict(resp.getheaders())
xmlrpc.client.ProtocolError: <ProtocolError for login:password@example.com/RPC2: 404 Not Found>
|