On Sun, 29 Aug 1999, Martijn Pieters wrote:

At 02:03 29-8-99 , Mike Winter wrote:

...

Hi, just a quick question: how do you get Zope to display DTML without evaluating it?

There are two methods, one of which is (to me) a very serious security breach: document_src (for which you need the View management screens permission), and PrincipiaSearchSource, for which you do not need any permissions at all. At any Zope2 site, I can add /PrincipiaSearchSource to the URL and see the source of that DTML Method/Document. Well, I've tried this with www.mtg.co.at (Z2.0b1), and I get this:

Zope Error Zope has encountered an error while publishing this resource. Resource not found Sorry, the requested Zope resource does not exist. Check the URL and try again. Troubleshooting Suggestions The URL may be incorrect. The parameters passed to this resource may be incorrect. A resource that this resource relies on may be encountering an error. For more detailed information about the error, please refer to the HTML source for this page. If the error persists please contact the site maintainer. Thank you for your patience. Traceback (innermost last): File /home/zope/Zope-2.0.0b1-src/lib/python/ZPublisher/Publish.py, line 297, in publish_module File /home/zope/Zope-2.0.0b1-src/lib/python/ZPublisher/Publish.py, line 175, in publish File /home/zope/Zope-2.0.0b1-src/lib/python/ZPublisher/BaseRequest.py, line 289, in traverse File /home/zope/Zope-2.0.0b1-src/lib/python/OFS/Application.py, line 260, in __bobo_traverse__ (Object: ApplicationDefaultPermissions) File /home/zope/Zope-2.0.0b1-src/lib/python/ZPublisher/HTTPResponse.py, line 499, in notFoundError NotFound: (see above)

I just discovered this, and will report it to the Collector.

-- Martijn Pieters, Web Developer | Antraciet http://www.antraciet.nl | T: +31 35 7502100 F: +31 35 7502111 | mj@antraciet.nl http://www.antraciet.nl/~mj | PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149 ---------------------------------------------

_______________________________________________ Zope maillist - Zope@zope.org http://www.zope.org/mailman/listinfo/zope

(To receive general Zope announcements, see: http://www.zope.org/mailman/listinfo/zope-announce

For developer-specific issues, zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )

-- Andreas Kostyrka | andreas@mtg.co.at phone: +43/1/7070750 | phone: +43/676/4091256 MTG Handelsges.m.b.H. | fax: +43/1/7065299 Raiffeisenstr. 16/9 | 2320 Zwoelfaxing AUSTRIA

At 10:43 29-8-99 , Itamar Shtull-Trauring wrote:

Martijn Pieters wrote:

...

There are two methods, one of which is (to me) a very serious security breach: document_src (for which you need the View management screens permission), and PrincipiaSearchSource, for which you do not need any permissions at all. At any Zope2 site, I can add /PrincipiaSearchSource to the URL and see the source of that DTML Method/Document.

I just discovered this, and will report it to the Collector.

Are you sure? I tried this in the Zope beta site and I didn't manage to view the source of any page.

http://www.zope.org:18200/index_html/PrincipiaSearchSource <html><head></head> <!--#var standard_html_header--> <p align=center>So, what's <a href="/SiteAnnouncement">new</a> about this site?</p> <!--#comment--> <table border="0" width="100%"> <tr valign="top"> <td valign="top"> <p class="small"> <form action="<!--#var SCRIPT_NAME-->/SiteIndex/search" method="post"> <input name="text_content"> <input type="submit" value=" Search "> </form> </p> <h2>What is Zope?</h2> <p class="small"> Zope is a free, Open Source™ application server for building high-performance, dynamic web sites. </p> <p class="small"> <a href="">Find out more...</a> </p> <h2>Latest News</h2> <!--#var "SiteIndex.recentChanges(SiteIndex,REQUEST)"--> <p class="small"> <a href="<!--#var SCRIPT_NAME-->/SiteIndex/news.rss">Zope news in RSS format.</a> </p> </td> <td width="250" valign="top"> <table border="0" width="250"> <tr valign="top"> <td bgcolor="#7777FF"> <p class="smallpagetitle">Spotlight On</p> </td></tr> <tr valign="top"><td class="small"> <!--#with SpotLightOn--> <!--#var Current--> <!--#/with--> </td></tr></table> </td></tr></table> <!--#/comment--> <!-------------------------------------------------------------------------- ---> <!-- THIS IS THE NEWS TABLE --> <!-- FORMATTING FOR EACH NEWS ITEM FOLLOWS THE PATTERN: --> <!-- REMEMBER TO OMIT THE TRAILING H2 TAG (IT CAUSES A WRAP BUT THE PAGE --> <!-- ISN"T DEGRADED W/ OUT IT). --> !-- <TR> --> !-- <TD CLASS="headline"><H2 CLASS="headline">HEADLINE</TD> --> <!-- </TR> --> !-- <TR> --> !-- <TD> --> !-- <DIV CLASS="byline">BYLINE</DIV> --> !-- <DIV CLASS="newsitem">SUMARRY<I><A HREF="#">[More...]</A></I></DIV> --> <!-- <BR> --> !-- <DIV CLASS="extras">[CATEGORY | THREADS]</DIV></TD> --> <!-- </TR> --> !-- </TR> --> !-- <TD> </TD> --> !-- </TR> --> !--------------------------------------------------------------------------- --> <TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0"> <!--#var "SiteIndex.recentChanges(SiteIndex,REQUEST)"--> </TABLE> <p> <a href="<!--#var SCRIPT_NAME-->/SiteIndex/news.rss">Zope news in RSS format.</a> </p> </TD> <!---------------------------------------------------------------------> <!-- END OF THE NEWS TABLE --> <!---------------------------------------------------------------------> <TD VALIGN=TOP> <!-------------------------------------------------------------------------- ------------------> <!-- THIS IS THE RIGHT COLUMN TABLE --> !-- For each item, you must set up as follows replacing TITLE and --> <!-- COPY as required: --> !-- REMEMBER TO OMIT THE TRAILING H2 TAG (IT CAUSES A WRAP BUT THE PAGE --> <!-- ISN"T DEGRADED W/ OUT IT). --> !-- --> !-- <TR> --> !-- <TD WIDTH="1" BGCOLOR="#6699CC" ROWSPAN="2"> --> !-- <IMG SRC="Images/spacer.gif" WIDTH="1" HEIGHT="1" BORDER="0"></TD> --> <!-- <TD VALIGN="TOP" CLASS="righttitle"><H2 CLASS="righttitle">TITLE</TD></TR> --> <!-- <TR> --> !-- <TD VALIGN="TOP" --> !-- <P CLASS="right">COPY</P></TD> --> !-- </TR> --> !-- <TR> --> !-- <TD COLSPAN="2"> </TD> --> !-- </TR> --> !--------------------------------------------------------------------------- -----------------> <TABLE BORDER="0" CELLSPACING="0" CELLPADDING="0" WIDTH="200"> <!--------------------------> <!-- RIGHT COLUMN ITEM #1 --> <!--------------------------> <TR> <TD WIDTH="1" ROWSPAN="2" BGCOLOR="#6699CC"> <IMG SRC="Images/spacer.gif" ALT="Spacing image" WIDTH="1" HEIGHT="2" BORDER="0"></TD> <TD VALIGN="TOP" CLASS="righttitle"><H2 CLASS="righttitle">What is Zope?</TD> </TR> <TR> <TD VALIGN="TOP"> <P CLASS="right">Zope™ is a free, Open Source™ application server for building high-performance, dynamic web sites. </P></TD> </TR> <TR> <TD COLSPAN="2"> </TD> </TR> <!--------------------------> <!-- RIGHT COLUMN ITEM #2 --> <!--------------------------> <TR> <TD WIDTH="1" BGCOLOR="#6699CC" ROWSPAN="3" VALIGN=TOP><IMG SRC="/Images/spacer.gif" ALT="Spacing image" WIDTH="1" HEIGHT="2" BORDER="0"></TD> <TD VALIGN="TOP" CLASS="righttitle"><H2 CLASS="righttitle">Spotlight On...</TD> </TR> <TR> <TD VALIGN="TOP"> <!--#with SpotLightOn--> <!--#var Current--> <!--#/with--> <!--#comment--> <!-- Links removed because of lack of content --> <HR NOSHADE SIZE="0.5" WIDTH="95%"> <P CLASS="right">Read more Zope <A HREF="/Community/CaseStudies">case studies</A> and <A HREF="/Community/Testimonials">testimonials</A>.</P> <!--#/comment--> </TD> </TR> <TR> <TD COLSPAN="2"> </TD> </TR> </TABLE></TD> <!---------------------------------------------------------------------> <!-- END OF THE RIGHT COLUMN TABLE --> <!--------------------------------------------------------------------->

(dit not found the original post)

On Sun, 29 Aug 1999, Martijn Pieters wrote:

...

permissions at all. At any Zope2 site, I can add /PrincipiaSearchSource to the URL and see the source of that DTML Method/Document. No, thats not true. I just checkt it.

Regards Tino