[Zope] ZHTTP Server allows server name
ender
kthangavelu@earthlink.net
Sun, 11 Mar 2001 04:22:38 -0800
On Sunday 11 March 2001 04:25, Oleg Broytmann wrote:
>>Hello!
>>
>> Our system/network admins scanned our local network and found on my
>>computer strange proxy :)
>>
>>> telnet localhost 8080
>>
>>Trying 127.0.0.1...
>>Connected to localhost.
>>Escape character is '^]'.
>>GET http://www.zope.org/ HTTP/1.0
>>Host: localhost
>>
>> Then Zope returned root page of localhost, not www.zope.org, so it is
>>not security hole, but anyway I think ZServer should not accept server name
>>in he request. Instead an error (perhaps HTTP error 400) should be
>>returned.
>> Should I report this to Collector?
probably as a feature request to z2.py for a check host option, else you'll
be hosing those doing virtual hosting.
kapil