The Http 1.1 spec REQUIRES that webservers accept canonical URLs in the request. The intent was to gradually move away from the 0.9/1.0 method of just sending the path, which can make things awkward when doing virtual hosting. What is not defined in the spec is what to do if you receive a request for a canonical url that does not exist on the server. It is totally appropriate for Zope to do what it did, and I don't think it should be changed. Certainly, nothing more than treating a request for a hostname that is not served locally as an error. --sam Oleg Broytmann wrote:

Hello!

Our system/network admins scanned our local network and found on my computer strange proxy :)

...

telnet localhost 8080 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET http://www.zope.org/ HTTP/1.0 Host: localhost

Then Zope returned root page of localhost, not www.zope.org, so it is not security hole, but anyway I think ZServer should not accept server name in he request. Instead an error (perhaps HTTP error 400) should be returned. Should I report this to Collector?

Oleg. ---- Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru Programmers don't die, they just GOSUB without RETURN.

_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )

-- ------------------------------------------------ "I'll do the stupid thing first and then you shy people follow..." --Frank Zappa