[Zope-dev] Re: [Zope] isecure XML-RPC handling.

Brian Lloyd brian@zope.com
Wed, 3 Apr 2002 12:20:50 -0500


> I think most people missed the point here.  I don't think Rossen
> is asking for help on running zope or getting xml-rpc to work with
> it.  He's observed a "security" problem: he believes the fact that
> a traceback including path names is included in the error response
> is a security exposure.  This has been discussed on zope-dev before,
> but the fact remains that the security community *does* treat
> exposure of filesystem path information as a security issue.

Right. There is already code for Zope 2.6 and Zope 3 that 
addresses this. Shane's new traceback formatting makes the 
trace information far more readable in addition to removing 
filesystem path information.


Brian Lloyd        brian@zope.com
V.P. Engineering   540.361.1716       
Zope Corporation   http://www.zope.com