[Zope-dev] Bobo-Exception-.. can produce rfc non compliant headers in response.
Brian Lloyd
brian@zope.com
Wed, 23 Apr 2003 09:31:50 -0400
<snip examples of bad bobo-* headers>
>
> I have more than one problem with these headers:
>
> 1) most important:
> unpredictability of the RFC compliance. not a good thing.
>
> 2) security related:
> they give out way to much information to be confortable with.
> a client doesn't have any business with the absolute path to your
> zope install (Bobo-exception-File)
> and you even get these even when not running with the -D option.
>
> Although not enough info to hack/crack/whatever the machine/server it
> gives a hacker something concrete to work with.
>
> 3) usefulness:
> what do you gain from having these headers anyway?
> you have the error log on server side that contains the same information
> in another form.
>
> Is there still anybody out there who uses this ?
> if not, it's better to throw the whole thing out of the codebase, no ?
This bit of black magic supports the ZPublisher.Client module, which is
an rpc-like mechanism that pre-dates xml-rpc, SOAP, etc. I'm not sure
how to gauge how many people may still use it :(
That said, I think the issues can be fixed without necessarily throwing
it out. I think if we:
- escape or otherwise make the exception value header-compliant
- remove the leading path on the exception-file (so you would only
see 'something.py'
...then that would resolve these (legitimate) concerns.
Thoughts?
Brian Lloyd brian@zope.com
V.P. Engineering 540.361.1716
Zope Corporation http://www.zope.com