<snip examples of bad bobo-* headers>
I have more than one problem with these headers:
1) most important: unpredictability of the RFC compliance. not a good thing.
2) security related: they give out way to much information to be confortable with. a client doesn't have any business with the absolute path to your zope install (Bobo-exception-File) and you even get these even when not running with the -D option.
Although not enough info to hack/crack/whatever the machine/server it gives a hacker something concrete to work with.
3) usefulness: what do you gain from having these headers anyway? you have the error log on server side that contains the same information in another form.
Is there still anybody out there who uses this ? if not, it's better to throw the whole thing out of the codebase, no ?
This bit of black magic supports the ZPublisher.Client module, which is an rpc-like mechanism that pre-dates xml-rpc, SOAP, etc. I'm not sure how to gauge how many people may still use it :( That said, I think the issues can be fixed without necessarily throwing it out. I think if we: - escape or otherwise make the exception value header-compliant - remove the leading path on the exception-file (so you would only see 'something.py' ...then that would resolve these (legitimate) concerns. Thoughts? Brian Lloyd brian@zope.com V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com