Malthe Borch wrote:
> 2009/5/12 Tres Seaver <tsea...@palladion.com>:
>> The server side wouldn't know that: the presence of such a field in the
>> request is completely independent of any form (e.g., cookies passed long
>> after logging in).
> I understand the issue, but shouldn't the remedy be to avoid ever
> displaying request data in a public view?
I wonder who would put credentials in clear text into the request and
then display the request itself?
The HTTP_AUTHORIZATION key is taken out of the request environment
immediately to avoid it being ever shown. For such a low level HTTP
feature I can understand this as a reasonable responsibility of the request.
But dealing with arbitrary data in the request and guessing that
something including passw is probably going to contain credentials seems
just awkward. If I name my variable auth, credentials or "Kennung" or
whatever else in a different language this thing is not going to help me.
Repoze-dev mailing list