[Zope-dev] Bobo-Exception-.. can produce rfc non compliant headers in response.

Romain Slootmaekers romain@zzict.com
Wed, 23 Apr 2003 14:03:17 +0200


Yo,
in case of an exception, the following headers, can produce non 
compliant HTTP response headers.

Bobo-Exception-File
Bobo-Exception-Type
Bobo-Exception-Value

Especially the Bobo-Exception-Value header, which is a chopped off 
version of the body of the response, is a cause of problems.
fe

-------------- included example -----------------
Bobo-Exception-Value: <?xml version="1.0"?> <!DOCTYPE wml PUBLIC 
"-//WAPFORUM//DTD WML 1.1//EN" 
"http://www.wapforum.org/DTD/wml_1.1.xml"> <wml>   <card>     <p

-------------- /included example ----------------

Normally, your browser doesn't barf on this, but browsers on small 
devices (like mobile phones) and their gateways are way more picky :(

I have more than one problem with these headers:

1) most important:
unpredictability of the RFC compliance. not a good thing.

2) security related:
they give out way to much information to be confortable with.
a client doesn't have any business with the absolute path to your
zope install (Bobo-exception-File)
and you even get these even when not running with the -D option.

Although not enough info to hack/crack/whatever the machine/server it 
gives a hacker something concrete to work with.

3) usefulness:
what do you gain from having these headers anyway?
you have the error log on server side that contains the same information 
in another form.

Is there still anybody out there who uses this ?
if not, it's better to throw the whole thing out of the codebase, no ?


Romain.