Oliver Bleutgen wrote:
Common wisdom seems to be to filter out .*manage.* requests in apache (search the mailing lists for that).
Sadly if you want 100% coverage filtering on 'manage' alone won't cut it thanks to a) management interfaces that don't use manage anywhere in the name like ZCacheable_* b) type coercion done through POST requests which seems basically impossible to filter out using apache Zope will have to be patched or a new product will have to be written to enforce secure management. -- Jamie Heilman http://audible.transient.net/~jamie/ "You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid." -Buddy