[Zope] URLs expose information which we'd like to hide
Dieter Maurer
dieter at handshake.de
Thu Feb 5 13:33:26 EST 2004
Dennis Allison wrote at 2004-2-4 13:51 -0800:
>Dieter, can you elaborate on this a bit. Passing parameter with the
>URL (for example, http://foo.goo.com?p1=v1&p2=v2 ) seems to be locked
>in pretty deeply in the Zope paradigm. What would be your suggestion?
HTML is not designed to be secure against curious users....
When you try to hide parameters, I will use a TCPLogger to
see what is on the wire.
When you use HTTPS, I will analyse the HTML source to determine
your secrets.
>On Wed, 4 Feb 2004, Dieter Maurer wrote:
>> Dennis Allison wrote at 2004-2-4 08:09 -0800:
>> > ...
>> >The parameters passed by GET and, to a lesser extent, the URLs themselves,
>> >represent a security issue in one of our systems.
>>
>> Rethink what you are doing....
--
Dieter
More information about the Zope
mailing list