[Zope-dev] Re: [Zope] isecure XML-RPC handling.

Rossen Raykov raikovr@yahoo.com
Sat, 6 Apr 2002 10:01:33 -0500 

>
>   *  the immediate correspondence between the request and the
>      response containing essential information to analyse the problem

It's application problem and the application have to handle it.
Log all the request/responses on the server or the client side.

>
>   *  newbies

They have nothing to do in a production environment don't they?

>
>      Even with the stack trace immediately in the response, they
>      report problems with no or missing essential details about
>      the problem.

Then how one can help there?

>
>      This will become worse when the error information is hidden
>      in a log.

The point is that production differ from development environment.
In the development environment on can do whatever he needs.
In a production environment reporting information as physical path on the
server, internal network addresses etc. is unexceptable.

Look at it from a different prospective:
Someone is browsing Internet and a site is responding like:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the
keyword 'or'.

/login.asp, line 11



Couple scenarios:

1. If he is a regular user he will go to the next site and most probably
will never come back to that site again.

2. If he is tester or developer - oops the code have problem we have to fix
it.

3. If he is intruder then "Bingo!" the site have problems escaping special
characters before to pass them to the

SQL server! Let's have a party!



The situation with Zope is similar.

Shall the dump help the regular surfer? I doubt so.

Shall it benefit the developer or the tester? Most probably not since they
are not performing their activities on the production site.

Shall it benefit third parity developers that are requesting services from
you site? May be particular, since they can report the stack to you, but you
may get that information from you log any way. Since they can not control
the code on you side this will not make their live easier..

The only left is the intruder!



The conclusion is make the server not to dump the stack in the response
if -D option does not imply.

With -D dump the processor registers if you would like ;)

People have to be able to control this and if there is more precise control
like debug level - then it is even better.



>
>  > BW if a program is expecting XML-RPC response but it is receiving stack
>  > trace it may be a little confusing (especially for a not so well
written
>  > program ;).
>  > Zope first have to conform the protocol for XML-RPC exchange (return
XML
>  > response) and after that to sweet the developers (dump error in the
server's
>  > log).
> Okay!
>
>
> Dieter
>

Regards,
Rossen


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com