[Zope] ZHTTP Server allows server name

sam gendler sgendler@akamai.com
Sun, 11 Mar 2001 07:07:22 -0800


--------------A615CC16C8F78C45503D1BB8
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

The Http 1.1 spec REQUIRES that webservers accept canonical URLs in the
request.  The intent was to gradually move away from the 0.9/1.0 method of
just sending the path, which can make things awkward when doing virtual
hosting.  What is not defined in the spec is what to do if you receive a
request for a canonical url that does not exist on the server.  It is totally
appropriate for Zope to do what it did, and I don't think it should be
changed.  Certainly, nothing more than treating a request for a hostname that
is not served locally as an error.

--sam


Oleg Broytmann wrote:

> Hello!
>
>    Our system/network admins scanned our local network and found on my
> computer strange proxy :)
>
> > telnet localhost 8080
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET http://www.zope.org/ HTTP/1.0
> Host: localhost
>
>    Then Zope returned root page of localhost, not www.zope.org, so it is
> not security hole, but anyway I think ZServer should not accept server name
> in he request. Instead an error (perhaps HTTP error 400) should be
> returned.
>    Should I report this to Collector?
>
> Oleg.
> ----
>      Oleg Broytmann     http://www.zope.org/Members/phd/     phd@phd.pp.ru
>            Programmers don't die, they just GOSUB without RETURN.
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )

--
------------------------------------------------
"I'll do the stupid thing first and then you shy
 people follow..."
                                   --Frank Zappa



--------------A615CC16C8F78C45503D1BB8
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
The Http 1.1 spec REQUIRES that webservers accept canonical URLs in the
request.&nbsp; The intent was to gradually move away from the 0.9/1.0 method
of just sending the path, which can make things awkward when doing virtual
hosting.&nbsp; What is not defined in the spec is what to do if you receive
a request for a canonical url that does not exist on the server.&nbsp;
It is totally appropriate for Zope to do what it did, and I don't think
it should be changed.&nbsp; Certainly, nothing more than treating a request
for a hostname that is not served locally as an error.
<p>--sam
<br>&nbsp;
<p>Oleg Broytmann wrote:
<blockquote TYPE=CITE>Hello!
<p>&nbsp;&nbsp; Our system/network admins scanned our local network and
found on my
<br>computer strange proxy :)
<p>> telnet localhost 8080
<br>Trying 127.0.0.1...
<br>Connected to localhost.
<br>Escape character is '^]'.
<br>GET <a href="http://www.zope.org/">http://www.zope.org/</a> HTTP/1.0
<br>Host: localhost
<p>&nbsp;&nbsp; Then Zope returned root page of localhost, not www.zope.org,
so it is
<br>not security hole, but anyway I think ZServer should not accept server
name
<br>in he request. Instead an error (perhaps HTTP error 400) should be
<br>returned.
<br>&nbsp;&nbsp; Should I report this to Collector?
<p>Oleg.
<br>----
<br>&nbsp;&nbsp;&nbsp;&nbsp; Oleg Broytmann&nbsp;&nbsp;&nbsp;&nbsp; <a href="http://www.zope.org/Members/phd/">http://www.zope.org/Members/phd/</a>&nbsp;&nbsp;&nbsp;&nbsp;
phd@phd.pp.ru
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Programmers
don't die, they just GOSUB without RETURN.
<p>_______________________________________________
<br>Zope maillist&nbsp; -&nbsp; Zope@zope.org
<br><a href="http://lists.zope.org/mailman/listinfo/zope">http://lists.zope.org/mailman/listinfo/zope</a>
<br>**&nbsp;&nbsp; No cross posts or HTML encoding!&nbsp; **
<br>(Related lists -
<br>&nbsp;<a href="http://lists.zope.org/mailman/listinfo/zope-announce">http://lists.zope.org/mailman/listinfo/zope-announce</a>
<br>&nbsp;<a href="http://lists.zope.org/mailman/listinfo/zope-dev">http://lists.zope.org/mailman/listinfo/zope-dev</a>
)</blockquote>

<pre>--&nbsp;
------------------------------------------------
"I'll do the stupid thing first and then you shy&nbsp;
&nbsp;people follow..."
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; --Frank Zappa</pre>
&nbsp;</html>

--------------A615CC16C8F78C45503D1BB8--