[Zope-dev] Re: [Zope] isecure XML-RPC handling.

R. David Murray bitz@bitdance.com
Wed, 3 Apr 2002 10:05:22 -0500 (EST)


On Tue, 2 Apr 2002, Eron Lloyd wrote:
> The problem here seems to be that you are trying to do XML-RPC communication
> with a version of Zope that doesn't support XML-RPC out of the box. You

I think most people missed the point here.  I don't think Rossen
is asking for help on running zope or getting xml-rpc to work with
it.  He's observed a "security" problem: he believes the fact that
a traceback including path names is included in the error response
is a security exposure.  This has been discussed on zope-dev before,
but the fact remains that the security community *does* treat
exposure of filesystem path information as a security issue.

I believe the addition of the variable to control what happens with
tracebacks addresses this issue from a security standpoint, which
is probably all that Rossen cares about with regards to letting
bugtraq know that "the security bug has been fixed".

The fact that zope.org itself is still "insecure" in this
sense may also be an issue, but not one that is going to
get addressed before the new zope.org goes online.

--RDM