The Http 1.1 spec REQUIRES that webservers accept canonical URLs in the request. The intent was to gradually move away from the 0.9/1.0 method of just sending the path, which can make things awkward when doing virtual hosting. What is not defined in the spec is what to do if you receive a request for a canonical url that does not exist on the server. It is totally appropriate for Zope to do what it did, and I don't think it should be changed. Certainly, nothing more than treating a request for a hostname that is not served locally as an error.

--sam

Oleg Broytmann wrote:

Hello!
   Our system/network admins scanned our local network and found on my
computer strange proxy :)
> telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET http://www.zope.org/ HTTP/1.0
Host: localhost
   Then Zope returned root page of localhost, not www.zope.org, so it is
not security hole, but anyway I think ZServer should not accept server name
in he request. Instead an error (perhaps HTTP error 400) should be
returned.
   Should I report this to Collector?
Oleg.
----
     Oleg Broytmann     http://www.zope.org/Members/phd/     phd@phd.pp.ru
           Programmers don't die, they just GOSUB without RETURN.
_______________________________________________
Zope maillist - Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )

-- 
------------------------------------------------
"I'll do the stupid thing first and then you shy 
 people follow..."
                                   --Frank Zappa