I _think_ the problem is that ZServer builds SERVER_URL from the Host header and other HTTP headers. If the client reports these incorrectly, then ZServer will get them wrong, even though ZServer knows what port the request came in on. This needs to be thought about (and obviously confirmed, I'm not positive) what you may want to do is get one of those fancy HTTP sniffers to see if ZClient requests are sending the port along with the Host header. If not, obviously ZClient should be fixed, but also maybe we should consider ZServer inspecting the Host header to make sure it jives with what port and host the request actually came in on (or at least the port, I'm not sure if in a multi-hosting environment this should be done). I don't think this is a security problem, but it might introduce some form of port spoofing we are unfamilar with or unware of. -Michel Loren Stafford wrote:
I've found that absolute_url does not return the port number when the request was created by client.py.
I may not have isolated the problem at the most detailed level, but here's one way to reproduce it. An object (zev3) in this case has two methods for the purposes of isolating this problem:
def shoot(self, client=None, REQUEST=None, RESPONSE=None, **kw): """Track down a problem in absolute_url() """ from ZPubLisher import Client import Loggerr loggerr=Loggerr.loggerr myurl=self.absolute_url() emsg='Shoot: %s' % myurl loggerr(100, emsg, detail='') Client.call('%s/%s' % (myurl, 'show'))
def show(self, client=None, REQUEST=None, RESPONSE=None, **kw): """Track down a problem in absolute_url() """ import Loggerr loggerr=Loggerr.loggerr emsg='Show: %s'% self.absolute_url() loggerr(100, emsg, detail='')
Executing "show" by typing "http://127.0.0.1:8080/zev3/show" into the browser produces this log entry.
------ 2000-03-10T21:47:04 PROBLEM(100) Products.ZScheduler.Loggerr Show: http://127.0. 0.1:8080/zev3
Executing "show" by typing "http://127.0.0.1:8080/zev3/shoot" into the browser produces this log entry.
------ 2000-03-10T21:44:19 PROBLEM(100) Products.ZScheduler.Loggerr Shoot: http://127.0.0.1:8080/zev3 ------ 2000-03-10T21:44:19 PROBLEM(100) Products.ZScheduler.Loggerr Show: http://127.0.0.1/zev3
What happened with the port?
I'll try to track this down further, but I'm afraid the problem is in the depths of ZPublisher somewhere. Any hints would be appreciated.
-- Thanks -- Loren
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )