forwarding this to -users because i am having a little bit of lag and mistyped the address the first time :P
tony ---------- Forwarded message ---------- Date: Thu, 20 Mar 2003 16:14:31 -0500 (EST) From: Tony Collen <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: cocoon-view as possible security problem? Browsing the livesites, on a whim I tried this URL: http://dir.salon.com/?cocoon-view=content and it worked! Obviously someone deploying Cocoon should be aware that this view is "on" by default, and may reveal data in your page you might not want. I have yet to see "bad" data get exposed, but there's always the possibility. Do we want the views turned off by default, and have a message in the sitemap about enabling the views? Would it make more sense to have thename of the "cocoon-view" parameter be able to be changed via configuration? Say I wanted the parameter to be my-view instead of cocoon-view. Security through obscurity? Tony --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
