Vulnerabiltiy in XMLRPC / JSONRPC about circuits HOT 11 CLOSED

@spaceone I dare say though that is is almost by design :) 😆

However; I believe we should address this! Any ideas?

from circuits.

Maybe whitelist for allowed events?

from circuits.

Is there any real life example where it is used?

from circuits.

Yeah I've used the JSONRPC Dispatcher in https://github.com/prologic/autodock

In terms of fixing this though; perhaps we need to think about a redesign for JSONRPC/XMLRPC in general where it doesn't blindly translate RPC methods into events.

from circuits.

Retracted last comment; I'm not sure how to solve this. @spaceone: thoughts?

from circuits.

@spaceone: Actually now that I think about the particular use-cases; I think we should just remove the ability to target "channels" via RPC and instead let the user/developer do this if they so desire in their own "dispatchers" that listen to "rpc" events. This would be the simplest way and most secure as incoming "rpc" payloads would only ever hit the component/channel you specify in JSONRPC("/path", "encoding", "rpcchannel").

from circuits.

This looks way better. There is still no validation of the event name. Now everybody can fire arbitrary events into self.rpc_channel.

from circuits.

We could prefix the event name with 'rpc.' or/and call a method which can be overridden which dies a mapping from method → event name.

from circuits.

I don't think we should do this; primarily because it completely breaks the API and the notion that you can loosely couple and cooperate with components that listen to events on the rpc_channel. This would also completely break for example kdb and it's various plugins that listen to "rpc" events.

I believe the kind of "whitelist/blacklist" you're talking about can in fact be implemented by a user application (which I could demo in this issue?); otherwise let's close this and move on :)

from circuits.

With the fix you can still call the init() method of Component-inherited classes.

from circuits.

That would be because of:

from circuits import Component


class App(Component):

    def init(self):
        pass

I suspect if you @handler(None) it won't get exposed?

from circuits.