It only works when explicitly requesting a document by its name. So: http://www.mtg.co.at/PrincipiaSearchSource won't work, whereas: http://www.mtg.co.at/index_html/PrincipiaSearchSource will get you the DTML source. -- Alexander Staubo http://www.mop.no/~alex/ "`Ford, you're turning into a penguin. Stop it.'" --Douglas Adams, _The Hitchhiker's Guide to the Galaxy_
-----Original Message----- From: Andreas Kostyrka [mailto:andreas@mtg.co.at] Sent: 29. august 1999 09:05 To: Martijn Pieters Cc: Mike Winter; zope@zope.org Subject: Re: [Zope] <code> tag?
On Sun, 29 Aug 1999, Martijn Pieters wrote:
At 02:03 29-8-99 , Mike Winter wrote:
Hi, just a quick question: how do you get Zope to display DTML without evaluating it?
There are two methods, one of which is (to me) a very serious security breach: document_src (for which you need the View management screens permission), and PrincipiaSearchSource, for which you do not need any permissions at all. At any Zope2 site, I can add /PrincipiaSearchSource to the URL and see the source of that DTML Method/Document. Well, I've tried this with www.mtg.co.at (Z2.0b1), and I get this:
Zope Error
Zope has encountered an error while publishing this resource.
Resource not found
Sorry, the requested Zope resource does not exist.
Check the URL and try again.
Troubleshooting Suggestions
The URL may be incorrect. The parameters passed to this resource may be incorrect. A resource that this resource relies on may be encountering an error.
For more detailed information about the error, please refer to the HTML source for this page.
If the error persists please contact the site maintainer. Thank you for your patience.
Traceback (innermost last): File /home/zope/Zope-2.0.0b1-src/lib/python/ZPublisher/Publish.py, line 297, in publish_module File /home/zope/Zope-2.0.0b1-src/lib/python/ZPublisher/Publish.py, line 175, in publish File /home/zope/Zope-2.0.0b1-src/lib/python/ZPublisher/BaseRequest.py, line 289, in traverse File /home/zope/Zope-2.0.0b1-src/lib/python/OFS/Application.py, line 260, in __bobo_traverse__ (Object: ApplicationDefaultPermissions) File /home/zope/Zope-2.0.0b1-src/lib/python/ZPublisher/HTTPResponse.py, line 499, in notFoundError NotFound: (see above)
I just discovered this, and will report it to the Collector.
-- Martijn Pieters, Web Developer | Antraciet http://www.antraciet.nl | T: +31 35 7502100 F: +31 35 7502111 | mj@antraciet.nl http://www.antraciet.nl/~mj | PGP:
http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149
---------------------------------------------
_______________________________________________ Zope maillist - Zope@zope.org http://www.zope.org/mailman/listinfo/zope
(To receive general Zope announcements, see: http://www.zope.org/mailman/listinfo/zope-announce
For developer-specific issues, zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )
-- Andreas Kostyrka | andreas@mtg.co.at phone: +43/1/7070750 | phone: +43/676/4091256 MTG Handelsges.m.b.H. | fax: +43/1/7065299 Raiffeisenstr. 16/9 | 2320 Zwoelfaxing AUSTRIA
_______________________________________________ Zope maillist - Zope@zope.org http://www.zope.org/mailman/listinfo/zope
(To receive general Zope announcements, see: http://www.zope.org/mailman/listinfo/zope-announce
For developer-specific issues, zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )
On Sun, 29 Aug 1999, Alexander Staubo wrote:
It only works when explicitly requesting a document by its name. So:
http://www.mtg.co.at/PrincipiaSearchSource
won't work, whereas:
http://www.mtg.co.at/index_html/PrincipiaSearchSource
will get you the DTML source. Confirmed. That's what one calls a security misfeature?
Andreas -- Andreas Kostyrka | andreas@mtg.co.at phone: +43/1/7070750 | phone: +43/676/4091256 MTG Handelsges.m.b.H. | fax: +43/1/7065299 Raiffeisenstr. 16/9 | 2320 Zwoelfaxing AUSTRIA
participants (2)
-
Alexander Staubo -
Andreas Kostyrka