R. David Murray wrote:

On Tue, 2 Apr 2002, Eron Lloyd wrote:

...

The problem here seems to be that you are trying to do XML-RPC communication with a version of Zope that doesn't support XML-RPC out of the box. You

I think most people missed the point here. I don't think Rossen is asking for help on running zope or getting xml-rpc to work with it. He's observed a "security" problem: he believes the fact that a traceback including path names is included in the error response is a security exposure. This has been discussed on zope-dev before, but the fact remains that the security community *does* treat exposure of filesystem path information as a security issue.

I believe the addition of the variable to control what happens with tracebacks addresses this issue from a security standpoint, which is probably all that Rossen cares about with regards to letting bugtraq know that "the security bug has been fixed".

Just to add some weight to this point, let's search google: http://www.google.com/search?q=%22path+disclosure+vulnerability%22 I don't care too much about this bug (let's call it a bug), but it indeed has enough weight to get zope quite a bad reputation in the security community. Oh, and each and every instance of these "vulnerabilities" got patched by the vendors, so they seem to take it seriously also. cheers, oliver