On Wed, Feb 09, 2000 at 04:54:48PM -0500, Brian Lloyd wrote:
This update prevents the REQUEST object from being traversable by web clients. While this feature was useful for debugging, Evan Simpson noted a potential security issue that could allow web authors to play client scripting tricks and make them appear (to the user) to be coming from a Zope site.
Sorry, I don't get it. Can you elaborate? I don't see how this is a problem. And how exactly ``traversing'' is banned? Can't I <dtml-var REQUEST> anymore, or are you talking about direct access via some URL? []s, |alo +---- -- I am Lalo of deB-org. You will be freed. Resistance is futile. http://www.webcom.com/lalo mailto:lalo@webcom.com pgp key in the web page Debian GNU/Linux --- http://www.debian.org Brazil of Darkness -- http://zope.gf.com.br/BroDar