Michael Bernstein wrote:
Chris Withers wrote:
Incidnetally, I think this is a bit of a security hole. You shouldn't get told what you're not allowed to see, especially if it's 'cos you got your password wrong. If you see what I mean ;-)
I see what you mean here, Chris, but wouldn't this come under the heading of a 'security through obscurity' hole? ie. you're saying that the system isn't obscure enough?
Not really... I'm saying it shouldn't tell you stuff you _never_ need to know, like where on your file system the Zope files live. A lot of this comes from standard_error_message not being used for authorizaion errors, and Zope's insistence of tacking the traceback onto error pages it returns, even in production mode :-S Might have to have a look at this some time ;-) cheers, Chris