At 10:43 29-8-99 , Itamar Shtull-Trauring wrote:
Martijn Pieters wrote:
There are two methods, one of which is (to me) a very serious security breach: document_src (for which you need the View management screens permission), and PrincipiaSearchSource, for which you do not need any permissions at all. At any Zope2 site, I can add /PrincipiaSearchSource to the URL and see the source of that DTML Method/Document.
I just discovered this, and will report it to the Collector.
Are you sure? I tried this in the Zope beta site and I didn't manage to view the source of any page.
http://www.zope.org:18200/index_html/PrincipiaSearchSource <html><head></head> <!--#var standard_html_header--> <p align=center>So, what's <a href="/SiteAnnouncement">new</a> about this site?</p> <!--#comment--> <table border="0" width="100%"> <tr valign="top"> <td valign="top"> <p class="small"> <form action="<!--#var SCRIPT_NAME-->/SiteIndex/search" method="post"> <input name="text_content"> <input type="submit" value=" Search "> </form> </p> <h2>What is Zope?</h2> <p class="small"> Zope is a free, Open Source™ application server for building high-performance, dynamic web sites. </p> <p class="small"> <a href="">Find out more...</a> </p> <h2>Latest News</h2> <!--#var "SiteIndex.recentChanges(SiteIndex,REQUEST)"--> <p class="small"> <a href="<!--#var SCRIPT_NAME-->/SiteIndex/news.rss">Zope news in RSS format.</a> </p> </td> <td width="250" valign="top"> <table border="0" width="250"> <tr valign="top"> <td bgcolor="#7777FF"> <p class="smallpagetitle">Spotlight On</p> </td></tr> <tr valign="top"><td class="small"> <!--#with SpotLightOn--> <!--#var Current--> <!--#/with--> </td></tr></table> </td></tr></table> <!--#/comment--> <!-------------------------------------------------------------------------- ---> <!-- THIS IS THE NEWS TABLE --> <!-- FORMATTING FOR EACH NEWS ITEM FOLLOWS THE PATTERN: --> <!-- REMEMBER TO OMIT THE TRAILING H2 TAG (IT CAUSES A WRAP BUT THE PAGE --> <!-- ISN"T DEGRADED W/ OUT IT). --> !-- <TR> --> !-- <TD CLASS="headline"><H2 CLASS="headline">HEADLINE</TD> --> <!-- </TR> --> !-- <TR> --> !-- <TD> --> !-- <DIV CLASS="byline">BYLINE</DIV> --> !-- <DIV CLASS="newsitem">SUMARRY<I><A HREF="#">[More...]</A></I></DIV> --> <!-- <BR> --> !-- <DIV CLASS="extras">[CATEGORY | THREADS]</DIV></TD> --> <!-- </TR> --> !-- </TR> --> !-- <TD> </TD> --> !-- </TR> --> !--------------------------------------------------------------------------- --> <TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0"> <!--#var "SiteIndex.recentChanges(SiteIndex,REQUEST)"--> </TABLE> <p> <a href="<!--#var SCRIPT_NAME-->/SiteIndex/news.rss">Zope news in RSS format.</a> </p> </TD> <!---------------------------------------------------------------------> <!-- END OF THE NEWS TABLE --> <!---------------------------------------------------------------------> <TD VALIGN=TOP> <!-------------------------------------------------------------------------- ------------------> <!-- THIS IS THE RIGHT COLUMN TABLE --> !-- For each item, you must set up as follows replacing TITLE and --> <!-- COPY as required: --> !-- REMEMBER TO OMIT THE TRAILING H2 TAG (IT CAUSES A WRAP BUT THE PAGE --> <!-- ISN"T DEGRADED W/ OUT IT). --> !-- --> !-- <TR> --> !-- <TD WIDTH="1" BGCOLOR="#6699CC" ROWSPAN="2"> --> !-- <IMG SRC="Images/spacer.gif" WIDTH="1" HEIGHT="1" BORDER="0"></TD> --> <!-- <TD VALIGN="TOP" CLASS="righttitle"><H2 CLASS="righttitle">TITLE</TD></TR> --> <!-- <TR> --> !-- <TD VALIGN="TOP" --> !-- <P CLASS="right">COPY</P></TD> --> !-- </TR> --> !-- <TR> --> !-- <TD COLSPAN="2"> </TD> --> !-- </TR> --> !--------------------------------------------------------------------------- -----------------> <TABLE BORDER="0" CELLSPACING="0" CELLPADDING="0" WIDTH="200"> <!--------------------------> <!-- RIGHT COLUMN ITEM #1 --> <!--------------------------> <TR> <TD WIDTH="1" ROWSPAN="2" BGCOLOR="#6699CC"> <IMG SRC="Images/spacer.gif" ALT="Spacing image" WIDTH="1" HEIGHT="2" BORDER="0"></TD> <TD VALIGN="TOP" CLASS="righttitle"><H2 CLASS="righttitle">What is Zope?</TD> </TR> <TR> <TD VALIGN="TOP"> <P CLASS="right">Zope™ is a free, Open Source™ application server for building high-performance, dynamic web sites. </P></TD> </TR> <TR> <TD COLSPAN="2"> </TD> </TR> <!--------------------------> <!-- RIGHT COLUMN ITEM #2 --> <!--------------------------> <TR> <TD WIDTH="1" BGCOLOR="#6699CC" ROWSPAN="3" VALIGN=TOP><IMG SRC="/Images/spacer.gif" ALT="Spacing image" WIDTH="1" HEIGHT="2" BORDER="0"></TD> <TD VALIGN="TOP" CLASS="righttitle"><H2 CLASS="righttitle">Spotlight On...</TD> </TR> <TR> <TD VALIGN="TOP"> <!--#with SpotLightOn--> <!--#var Current--> <!--#/with--> <!--#comment--> <!-- Links removed because of lack of content --> <HR NOSHADE SIZE="0.5" WIDTH="95%"> <P CLASS="right">Read more Zope <A HREF="/Community/CaseStudies">case studies</A> and <A HREF="/Community/Testimonials">testimonials</A>.</P> <!--#/comment--> </TD> </TR> <TR> <TD COLSPAN="2"> </TD> </TR> </TABLE></TD> <!---------------------------------------------------------------------> <!-- END OF THE RIGHT COLUMN TABLE --> <!--------------------------------------------------------------------->