This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author longwenzhang
Recipients longwenzhang
Date 2019-09-21.02:17:29
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1569032250.18.0.545337961077.issue38243@roundup.psfhosted.org>
In-reply-to
Content 
It's "Lib/DocXMLRPCServer.py" in python2x or "Lib/xmlrpc/server.py" in python3x.

Steps to reproduce:

1.Lib/DocXMLRPCServer.py is “a documenting XML-RPC Server“,In the Class ServerHTMLDoc, method markup(), will escape the Special symbols to safe(such as <," etc).
2.But it only escape the content from server.set_server_name() and server.set_server_documentation(),the "title" content from the server.set_server_title() will not be escaped, so if I set_server_title('123</title><script>alert(1)</script>'), it will cause XSS because not escaped.
3.I see the alert in Chrome by visiting http://127.0.0.1,the Poc is the poc.py(run in python2.7) in attachments.
4.Problems seems to be at
https://github.com/python/cpython/blob/master/Lib/xmlrpc/server.py#L897 "return documenter.page(self.server_title,documentation)".Before this line,variable "documentation" has been escaped but self.server_title not.This is the main cause.
History
Date User Action Args
2019-09-21 02:17:30longwenzhangsetrecipients: + longwenzhang
2019-09-21 02:17:30longwenzhangsetmessageid: <1569032250.18.0.545337961077.issue38243@roundup.psfhosted.org>
2019-09-21 02:17:30longwenzhanglinkissue38243 messages
2019-09-21 02:17:29longwenzhangcreate