[Zope-dev] Re: [Zope] isecure XML-RPC handling.
Rossen Raykov
raikovr@yahoo.com
Thu, 4 Apr 2002 20:39:50 -0500
There are two completely different things:
1. the server log
2. the output to the client.
In the first case you may log everything that you thing it is reasonable -
stack traces and dumps, relative and absolute paths, etc. It can may be
assumed that is secure since in general it is not accessible out of the box.
My personal opinion is that even this log have to differ if -D (debug
option) is misplayed.
In the second case it is better if Zope is returning just the error or the
response.
In the XML-RPC case the error have to be a valid XML-RPC response, not a
stack trace.
I can get that a stack trace may be extremely useful for a developer but
cant he see the server's error log?
BW if a program is expecting XML-RPC response but it is receiving stack
trace it may be a little confusing (especially for a not so well written
program ;).
Zope first have to conform the protocol for XML-RPC exchange (return XML
response) and after that to sweet the developers (dump error in the server's
log).
Regards,
Rossen
----- Original Message -----
From: "Dieter Maurer" <dieter@handshake.de>
To: "Shane Hathaway" <shane@zope.com>
Cc: "Rossen Raykov" <raikovr@yahoo.com>; <zope-dev@zope.org>
Sent: Thursday, April 04, 2002 2:55 PM
Subject: Re: [Zope-dev] Re: [Zope] isecure XML-RPC handling.
> Shane Hathaway writes:
> > If you can, please check out the latest Zope from CVS. Tracebacks no
> > longer appear by default, and even when they do, they do not show any
> > filesystem paths. (If you already have a checkout, make sure you use
> > "cvs up -dP" to get the new product.)
> I am very interested in filesystem paths, not necessary absolute ones
> but relative pathnames are very helpful to locate a problem.
>
>
> Dieter
>
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com