[Zope] <code> tag?
Martijn Pieters
mj@antraciet.nl
Sun, 29 Aug 1999 21:54:28 +0200
At 18:58 29-8-99 , Andreas Kostyrka wrote:
>On Sun, 29 Aug 1999, Alexander Staubo wrote:
>
> > It only works when explicitly requesting a document by its name. So:
> >
> > http://www.mtg.co.at/PrincipiaSearchSource
> >
> > won't work, whereas:
> >
> > http://www.mtg.co.at/index_html/PrincipiaSearchSource
> >
> > will get you the DTML source.
>Confirmed. That's what one calls a security misfeature?
Depends on wether you mind that the whole DTML source code of your
application is laying for the grab. When a similar 'feature' was found in
Microsoft IIS it was dubbed a security breach, but then again, ASPs more
often contain security sensitive information. I don't like it, for one.
Being able to view a sites source code might reveal shortcomings in it that
can be used to gain further access to your site. It might be that Zope has
vulnerabilities as yet undiscovered. When thinking in terms of security,
expect the worst.
Okay, how about the source of your Z SQL Methods: Add getFindContent to the
URL of a ZSQL Method, and you get the source, and this cannot be restrictable.
If Zope wants to claim that it is secure, you should be able to protect
your site's source code.
--
Martijn Pieters, Web Developer
| Antraciet http://www.antraciet.nl
| T: +31 35 7502100 F: +31 35 7502111
| mj@antraciet.nl http://www.antraciet.nl/~mj
| PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149
---------------------------------------------