[Zope-dev] Zope 2.1.4 released...
Lalo Martins
lalo@webcom.com
Wed, 9 Feb 2000 19:54:54 -0200
On Wed, Feb 09, 2000 at 04:54:48PM -0500, Brian Lloyd wrote:
>
> This update prevents the REQUEST object from being traversable
> by web clients. While this feature was useful for debugging,
> Evan Simpson noted a potential security issue that could allow
> web authors to play client scripting tricks and make them appear
> (to the user) to be coming from a Zope site.
Sorry, I don't get it. Can you elaborate? I don't see how this
is a problem.
And how exactly ``traversing'' is banned? Can't I
<dtml-var REQUEST> anymore, or are you talking about direct
access via some URL?
[]s,
|alo
+----
--
I am Lalo of deB-org. You will be freed.
Resistance is futile.
http://www.webcom.com/lalo mailto:lalo@webcom.com
pgp key in the web page
Debian GNU/Linux --- http://www.debian.org
Brazil of Darkness -- http://zope.gf.com.br/BroDar