-----Original Message----- From: Martijn Pieters <mj@antraciet.nl> To: Andreas Kostyrka <andreas@mtg.co.at>; Alexander Staubo <alex@mop.no> Cc: Zope Mailing List (E-mail) <zope@zope.org> Date: Sunday, August 29, 1999 4:15 PM Subject: RE: [Zope] <code> tag?
At 18:58 29-8-99 , Andreas Kostyrka wrote:
On Sun, 29 Aug 1999, Alexander Staubo wrote:
It only works when explicitly requesting a document by its name. So:
http://www.mtg.co.at/PrincipiaSearchSource
won't work, whereas:
http://www.mtg.co.at/index_html/PrincipiaSearchSource
will get you the DTML source. Confirmed. That's what one calls a security misfeature?
Being able to view a sites source code might reveal shortcomings in it that can be used to gain further access to your site. It might be that Zope has vulnerabilities as yet undiscovered. When thinking in terms of security, expect the worst.
I agree that there may be further security implications. Plus, not *everything* in the world is open source. I'm of the opinion that people should choose what is open and what is not...
Okay, how about the source of your Z SQL Methods: Add getFindContent to the URL of a ZSQL Method, and you get the source, and this cannot be
restrictable.
If Zope wants to claim that it is secure, you should be able to protect your site's source code.
So, anyone can look at the content of a Z SQL Method or a DTML Method (and maybe document). Is it possible to look at any arbitrary property? I've been working under the assumption that there was no way for someone to view a property unless you give them access via a method or the management screens... Kevin