Malthe Borch wrote:
> 2009/5/12 Tres Seaver <>:
>> The server side wouldn't know that:  the presence of such a field in the
>> request is completely independent of any form (e.g., cookies passed long
>> after logging in).
> I understand the issue, but shouldn't the remedy be to avoid ever
> displaying request data in a public view?

I wonder who would put credentials in clear text into the request and
then display the request itself?

The HTTP_AUTHORIZATION key is taken out of the request environment
immediately to avoid it being ever shown. For such a low level HTTP
feature I can understand this as a reasonable responsibility of the request.

But dealing with arbitrary data in the request and guessing that
something including passw is probably going to contain credentials seems
just awkward. If I name my variable auth, credentials or "Kennung" or
whatever else in a different language this thing is not going to help me.


Repoze-dev mailing list

Reply via email to