1 From b41cde823d026f2adc21ef14b1c2e92b1006de06 Mon Sep 17 00:00:00 2001
2 From: Dong-hee Na <donghee.na92@gmail.com>
3 Date: Sat, 28 Sep 2019 10:17:25 +0900
4 Subject: [PATCH 1/3] [2.7] bpo-38243: Escape the server title of
5 DocXMLRPCServer when rendering
8 Lib/DocXMLRPCServer.py | 10 +++++++++-
9 Lib/test/test_docxmlrpc.py | 20 +++++++++++++++++++
10 .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++
11 3 files changed, 32 insertions(+), 1 deletion(-)
12 create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
14 diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py
15 index 4064ec2e48d4d..a0e407b6318ad 100644
16 --- a/Lib/DocXMLRPCServer.py
17 +++ b/Lib/DocXMLRPCServer.py
18 @@ -210,7 +210,15 @@ def generate_html_documentation(self):
22 - return documenter.page(self.server_title, documentation)
30 + title = ''.join(escape_table.get(c, c) for c in self.server_title)
31 + return documenter.page(title, documentation)
33 class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
34 """XML-RPC and documentation request handler class.
35 diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
36 index 4dff4159e2466..c45b892b8b3e7 100644
37 --- a/Lib/test/test_docxmlrpc.py
38 +++ b/Lib/test/test_docxmlrpc.py
40 from DocXMLRPCServer import DocXMLRPCServer
44 from test import test_support
45 threading = test_support.import_module('threading')
46 @@ -176,6 +177,25 @@ def test_autolink_dotted_methods(self):
47 self.assertIn("""Try self.<strong>add</strong>, too.""",
50 + def test_server_title_escape(self):
51 + """Test that the server title and documentation
52 + are escaped for HTML.
54 + self.serv.set_server_title('test_title<script>')
55 + self.serv.set_server_documentation('test_documentation<script>')
56 + self.assertEqual('test_title<script>', self.serv.server_title)
57 + self.assertEqual('test_documentation<script>',
58 + self.serv.server_documentation)
60 + generated = self.serv.generate_html_documentation()
61 + title = re.search(r'<title>(.+?)</title>', generated).group()
62 + documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
63 + self.assertEqual('<title>Python: test_title<script></title>',
65 + self.assertEqual('<p><tt>test_documentation<script></tt></p>',
70 test_support.run_unittest(DocXMLRPCHTTPGETServer)
72 diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
74 index 0000000000000..8f02baed9ebe5
76 +++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
78 +Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer`
79 +when rendering the document page as HTML.
80 +(Contributed by Dong-hee Na in :issue:`38243`.)
82 From 00251ae0244cfae1f5a77d15f3d0415c12b65ada Mon Sep 17 00:00:00 2001
83 From: Dong-hee Na <donghee.na92@gmail.com>
84 Date: Tue, 1 Oct 2019 09:31:33 +0900
85 Subject: [PATCH 2/3] bpo-38243:Refect victor's review
88 Lib/DocXMLRPCServer.py | 20 ++++++++++++--------
89 1 file changed, 12 insertions(+), 8 deletions(-)
91 diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py
92 index a0e407b6318ad..6ab41c31b403e 100644
93 --- a/Lib/DocXMLRPCServer.py
94 +++ b/Lib/DocXMLRPCServer.py
96 CGIXMLRPCRequestHandler,
97 resolve_dotted_attribute)
100 +def _html_escape_quote(s, quote=True):
101 + s = s.replace("&", "&") # Must be done first!
102 + s = s.replace("<", "<")
103 + s = s.replace(">", ">")
105 + s = s.replace('"', """)
106 + s = s.replace('\'', "'")
110 class ServerHTMLDoc(pydoc.HTMLDoc):
111 """Class used to generate pydoc HTML document for a server"""
113 @@ -210,14 +221,7 @@ def generate_html_documentation(self):
124 - title = ''.join(escape_table.get(c, c) for c in self.server_title)
125 + title = _html_escape_quote(self.server_title)
126 return documenter.page(title, documentation)
128 class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
130 From 09b17d8230a24586e417d52c332058f541d47999 Mon Sep 17 00:00:00 2001
131 From: Dong-hee Na <donghee.na92@gmail.com>
132 Date: Tue, 1 Oct 2019 19:35:34 +0900
133 Subject: [PATCH 3/3] bpo-38243: Update
136 Lib/DocXMLRPCServer.py | 7 +++----
137 1 file changed, 3 insertions(+), 4 deletions(-)
139 diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py
140 index 6ab41c31b403e..90b037dd35d6b 100644
141 --- a/Lib/DocXMLRPCServer.py
142 +++ b/Lib/DocXMLRPCServer.py
144 resolve_dotted_attribute)
147 -def _html_escape_quote(s, quote=True):
148 +def _html_escape_quote(s):
149 s = s.replace("&", "&") # Must be done first!
150 s = s.replace("<", "<")
151 s = s.replace(">", ">")
153 - s = s.replace('"', """)
154 - s = s.replace('\'', "'")
155 + s = s.replace('"', """)
156 + s = s.replace('\'', "'")