[Zope-dev] Bobo-Exception-.. can produce rfc non compliant headers
in response.
Romain Slootmaekers
romain@zzict.com
Thu, 24 Apr 2003 12:43:47 +0200
Brian Lloyd wrote:
> <snip examples of bad bobo-* headers>
>
>>I have more than one problem with these headers:
>>
>>1) most important:
>>unpredictability of the RFC compliance. not a good thing.
>>
>>2) security related:
>>they give out way to much information to be confortable with.
>>a client doesn't have any business with the absolute path to your
>>zope install (Bobo-exception-File)
>>and you even get these even when not running with the -D option.
>>
>>Although not enough info to hack/crack/whatever the machine/server it
>>gives a hacker something concrete to work with.
>>
>>3) usefulness:
>>what do you gain from having these headers anyway?
>>you have the error log on server side that contains the same information
>>in another form.
>>
>>Is there still anybody out there who uses this ?
>>if not, it's better to throw the whole thing out of the codebase, no ?
>
>
> This bit of black magic supports the ZPublisher.Client module, which is
> an rpc-like mechanism that pre-dates xml-rpc, SOAP, etc. I'm not sure
> how to gauge how many people may still use it :(
>
> That said, I think the issues can be fixed without necessarily throwing
> it out. I think if we:
>
> - escape or otherwise make the exception value header-compliant
>
> - remove the leading path on the exception-file (so you would only
> see 'something.py'
>
> ...then that would resolve these (legitimate) concerns.
>
> Thoughts?
making the headers compliant and removing the leading path would solve
the problem, but would probably break the rpc-like mechanism you talk
about anyway, no ?
I would fix/remove this myself (<10 minutes of work) but I don't have
CVS write access, and you/we first need to decide what is most appropriate:
- modify the headers to make them compliant and remove sensitive date
- remove the Bobo-Exception-... headers completely.
Romain.