[Zope] <code> tag?

Martijn Pieters mj@antraciet.nl
Sun, 29 Aug 1999 21:54:28 +0200


At 18:58 29-8-99 , Andreas Kostyrka wrote:
>On Sun, 29 Aug 1999, Alexander Staubo wrote:
>
> > It only works when explicitly requesting a document by its name. So:
> >
> > http://www.mtg.co.at/PrincipiaSearchSource
> >
> > won't work, whereas:
> >
> > http://www.mtg.co.at/index_html/PrincipiaSearchSource
> >
> > will get you the DTML source.
>Confirmed. That's what one calls a security misfeature?

Depends on wether you mind that the whole DTML source code of your 
application is laying for the grab. When a similar 'feature' was found in 
Microsoft IIS it was dubbed a security breach, but then again, ASPs more 
often contain security sensitive information. I don't like it, for one.

Being able to view a sites source code might reveal shortcomings in it that 
can be used to gain further access to your site. It might be that Zope has 
vulnerabilities as yet undiscovered. When thinking in terms of security, 
expect the worst.

Okay, how about the source of your Z SQL Methods: Add getFindContent to the 
URL of a ZSQL Method, and you get the source, and this cannot be restrictable.

If Zope wants to claim that it is secure, you should be able to protect 
your site's source code.

--
Martijn Pieters, Web Developer
| Antraciet http://www.antraciet.nl
| T: +31 35 7502100 F: +31 35 7502111
| mj@antraciet.nl http://www.antraciet.nl/~mj
| PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149
---------------------------------------------