[Zope-dev] Bobo-Exception-.. can produce rfc non compliant headers in response.

Romain Slootmaekers romain@zzict.com
Thu, 24 Apr 2003 12:43:47 +0200


Brian Lloyd wrote:
> <snip examples of bad bobo-* headers>
> 
>>I have more than one problem with these headers:
>>
>>1) most important:
>>unpredictability of the RFC compliance. not a good thing.
>>
>>2) security related:
>>they give out way to much information to be confortable with.
>>a client doesn't have any business with the absolute path to your
>>zope install (Bobo-exception-File)
>>and you even get these even when not running with the -D option.
>>
>>Although not enough info to hack/crack/whatever the machine/server it 
>>gives a hacker something concrete to work with.
>>
>>3) usefulness:
>>what do you gain from having these headers anyway?
>>you have the error log on server side that contains the same information 
>>in another form.
>>
>>Is there still anybody out there who uses this ?
>>if not, it's better to throw the whole thing out of the codebase, no ?
> 
> 
> This bit of black magic supports the ZPublisher.Client module, which is 
> an rpc-like mechanism that pre-dates xml-rpc, SOAP, etc. I'm not sure 
> how to gauge how many people may still use it :(
> 
> That said, I think the issues can be fixed without necessarily throwing 
> it out. I think if we:
> 
>   - escape or otherwise make the exception value header-compliant
> 
>   - remove the leading path on the exception-file (so you would only 
>     see 'something.py'
> 
> ...then that would resolve these (legitimate) concerns. 
> 
> Thoughts?

making the headers compliant and removing the leading path would solve 
the problem, but would probably break the rpc-like mechanism you talk 
about anyway, no ?


I would fix/remove this myself (<10 minutes of work) but I don't have 
CVS write access, and you/we first need to decide what is most appropriate:

- modify the headers to make them compliant and remove sensitive date

- remove the Bobo-Exception-... headers completely.


Romain.