[Zope] Securing Zope and Special URLs

Dieter Maurer dieter at handshake.de
Sat Sep 13 07:12:53 EDT 2003


Roy Rapoport wrote at 2003-9-10 11:34 -0700:
 > As part of a re-engineering of our Zope infrastructure, I'm tasked with
 > finding any documentation out there on how to secure Zope sites in a
 > best-practices sort of way.  Anyone got any pointers?

Jamie Heilman (who also answered to your post) discovered
a set of security risks. Search the mailing list archives
for his security related posts.

To avoid the ":action/method" risk (pointed out by Jamie)
we will extend the VHM (virtual host monster) to do the
"forbidden URL checking" rather than doing it in Apache (which
does not see the complete URL).


Dieter



More information about the Zope mailing list