Michel Pelletier wrote:
I _think_ the problem is that ZServer builds SERVER_URL from the Host header and other HTTP headers. If the client reports these incorrectly, then ZServer will get them wrong, even though ZServer knows what port the request came in on.
This needs to be thought about (and obviously confirmed, I'm not positive) what you may want to do is get one of those fancy HTTP sniffers to see if ZClient requests are sending the port along with the Host header. If not, obviously ZClient should be fixed, but also maybe we should consider ZServer inspecting the Host header to make sure it jives with what port and host the request actually came in on (or at least the port, I'm not sure if in a multi-hosting environment this should be done). I don't think this is a security problem, but it might introduce some form of port spoofing we are unfamilar with or unware of.
Actually, I have been known to spoof the port number with a Cisco Local Director, allowing to redirect the port 80 request on the LD to port 8080 on a cluster of servers behind the LD. Additionally, how would Zope deal with PCGI/FastCGI requests, since it would not be able to ascertain a port number from the socket directly. Besides, from a debugging standpoint, I often debug sites and servers by doing manual http requests from a telnet client, playing all sorts of games with the Host header. Any changes to ZServer that prevent this kind of behaviour would make my life very difficult. I think we should just fix ZClient (if this is actually the problem) Besides, I don't think you need a nework sniffer to look at the host header. Isn't the host header available from the REQUEST. If so, just stick it in the log with the absolute_url. --sam
-Michel
Loren Stafford wrote:
I've found that absolute_url does not return the port number when the request was created by client.py.
I may not have isolated the problem at the most detailed level, but here's one way to reproduce it. An object (zev3) in this case has two methods for the purposes of isolating this problem:
def shoot(self, client=None, REQUEST=None, RESPONSE=None, **kw): """Track down a problem in absolute_url() """ from ZPubLisher import Client import Loggerr loggerr=Loggerr.loggerr myurl=self.absolute_url() emsg='Shoot: %s' % myurl loggerr(100, emsg, detail='') Client.call('%s/%s' % (myurl, 'show'))
def show(self, client=None, REQUEST=None, RESPONSE=None, **kw): """Track down a problem in absolute_url() """ import Loggerr loggerr=Loggerr.loggerr emsg='Show: %s'% self.absolute_url() loggerr(100, emsg, detail='')
Executing "show" by typing "http://127.0.0.1:8080/zev3/show" into the browser produces this log entry.
------ 2000-03-10T21:47:04 PROBLEM(100) Products.ZScheduler.Loggerr Show: http://127.0. 0.1:8080/zev3
Executing "show" by typing "http://127.0.0.1:8080/zev3/shoot" into the browser produces this log entry.
------ 2000-03-10T21:44:19 PROBLEM(100) Products.ZScheduler.Loggerr Shoot: http://127.0.0.1:8080/zev3 ------ 2000-03-10T21:44:19 PROBLEM(100) Products.ZScheduler.Loggerr Show: http://127.0.0.1/zev3
What happened with the port?
I'll try to track this down further, but I'm afraid the problem is in the depths of ZPublisher somewhere. Any hints would be appreciated.
-- Thanks -- Loren
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
-- Sam Gendler Chief Technology Officer - Impossible, Inc. 1222 State St. Suite 250 Santa Barbara CA. 93101 w: 805-560-0508 f: 805-560-0608 c: 805-689-1191 e: sgendler@impossible.com