[Zope-dev] Re: [Zope] isecure XML-RPC handling.
Brian Lloyd
brian@zope.com
Wed, 3 Apr 2002 12:20:50 -0500
> I think most people missed the point here. I don't think Rossen
> is asking for help on running zope or getting xml-rpc to work with
> it. He's observed a "security" problem: he believes the fact that
> a traceback including path names is included in the error response
> is a security exposure. This has been discussed on zope-dev before,
> but the fact remains that the security community *does* treat
> exposure of filesystem path information as a security issue.
Right. There is already code for Zope 2.6 and Zope 3 that
addresses this. Shane's new traceback formatting makes the
trace information far more readable in addition to removing
filesystem path information.
Brian Lloyd brian@zope.com
V.P. Engineering 540.361.1716
Zope Corporation http://www.zope.com