[Zope] ZHTTP Server allows server name

Oleg Broytmann Oleg Broytmann <phd@mail2.phd.pp.ru>
Sun, 11 Mar 2001 15:25:01 +0300 (MSK)


Hello!

   Our system/network admins scanned our local network and found on my
computer strange proxy :)

> telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET http://www.zope.org/ HTTP/1.0
Host: localhost

   Then Zope returned root page of localhost, not www.zope.org, so it is
not security hole, but anyway I think ZServer should not accept server name
in he request. Instead an error (perhaps HTTP error 400) should be
returned.
   Should I report this to Collector?

Oleg.
----
     Oleg Broytmann     http://www.zope.org/Members/phd/     phd@phd.pp.ru
           Programmers don't die, they just GOSUB without RETURN.