As I already suggested ages ;) ago (and still didn't put into practice) it would here again be best to deny everything that isn't explicitly allowed (e.g. allow whatever ends with _html or .html and deny everything else) but then I would have to go over the whole website and make bazillions of changes ... I fixed the problem temporarily by adding some "FilesMatch/LocationMatch + deny from all" in my httpd.conf. But what else do I have to deny apart from objectIds? Ragnar
Andrew Kenneth Milton wrote:
| | http://www.zope.org/standard_html_header for example ;-)
Not that old chestnut again...
Yes, that old chestnut again. If it's considered a serious security flaw by Microsoft, maybe the Zope community should finally do something to solve it.
...and yes, there are discussions about this on Zope-dev right now, which will hopefully produce a solution :-)
cheers,
Chris
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )