Document issues with xmlrpc security of python built in libraries

rouilj · rouilj · commit 09afc8c961dd · 2020-01-03T19:22:54.000-05:00
Added note to changes with better description and link to defusedxml
in the xmlrpc doc.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -70,6 +70,7 @@ Fixed:
   is used. Fixed three places where the value of a hidden @action
   input field was translated. (Reported by Ludwig Reiter. John
   Rouillard)
+- Document security issues in xmlrpc interface in doc/xmlrpc.txt.
 
 2019-10-23 2.0.0 alpha 0
 
diff --git a/doc/xmlrpc.txt b/doc/xmlrpc.txt
@@ -50,10 +50,11 @@ stand alone roundup-xmlrpc-server
 Using roundup to access the xmlrpc interface is preferred. Roundup
 provides better control over who can use the interface.
 
-The Roundup XML-RPC standalone server must be started before remote clients can access the
-tracker via XML-RPC. ``roundup-xmlrpc-server`` is installed in the scripts
-directory alongside ``roundup-server`` and roundup-admin``. When invoked, the
-location of the tracker instance must be specified.
+The Roundup XML-RPC standalone server must be started before remote
+clients can access the tracker via XML-RPC. ``roundup-xmlrpc-server``
+is installed in the scripts directory alongside ``roundup-server`` and
+``roundup-admin``. When invoked, the location of the tracker instance
+must be specified.
 
 	roundup-xmlrpc-server -i ``/path/to/tracker``
 
@@ -62,17 +63,23 @@ The default port is ``8000``. An alternative port can be specified with the
 
 security consideration
 ----------------------
-Note that the current ``roundup-xmlrpc-server`` implementation does not
-support SSL. This means that usernames and passwords will be passed in
-cleartext unless the server is being proxied behind another server (such as
-Apache or lighttpd) that provide SSL.
+Both the standalone and embedded roundup XML endpoints used the
+default python XML parser. This parser is know to have security
+issues. For details see: https://pypi.python.org/pypi/defusedxml/.
+You may wish to use the rest interface which doesn't have the same
+issues. Patches with tests to roundup to use defusedxml are welcome.
 
+Note that the current ``roundup-xmlrpc-server`` implementation does
+not support SSL. This means that usernames and passwords will be
+passed in cleartext unless the server is being proxied behind another
+server (such as Apache or lighttpd) that provide SSL.
 
 Client API
 ----------
-The server currently implements four methods. Each method requires that the
-user provide a username and password in the HTTP authorization header in order
-to authenticate the request against the tracker.
+The server currently implements four methods. Each method requires
+that the user provide a username and password in the HTTP
+authorization header in order to authenticate the request against the
+tracker.
 
 ======= ====================================================================
 Command Description
