[Zope] URLs expose information which we'd like to hide
Dennis Allison
allison at sumeru.stanford.EDU
Wed Feb 4 16:51:01 EST 2004
Dieter, can you elaborate on this a bit. Passing parameter with the
URL (for example, http://foo.goo.com?p1=v1&p2=v2 ) seems to be locked
in pretty deeply in the Zope paradigm. What would be your suggestion?
On Wed, 4 Feb 2004, Dieter Maurer wrote:
> Dennis Allison wrote at 2004-2-4 08:09 -0800:
> > ...
> >The parameters passed by GET and, to a lesser extent, the URLs themselves,
> >represent a security issue in one of our systems.
>
> Rethink what you are doing....
>
> > ....
> >A partial solution would be to make POST not GET the standard for
> >parameter transmital.
> > Has anyone tried this? I suspect there are all
> >sorts of hidden gotchas.
>
> "POST" requests should not be cached (as they are expected to
> have side effects). Otherwise, there should be no problems.
>
> --
> Dieter
>
More information about the Zope
mailing list