Hanno Schlichting wrote:
> Malthe Borch wrote:
>> 2009/5/12 Tres Seaver <tsea...@palladion.com>:
>>> The server side wouldn't know that:  the presence of such a field in the
>>> request is completely independent of any form (e.g., cookies passed long
>>> after logging in).
>> I understand the issue, but shouldn't the remedy be to avoid ever
>> displaying request data in a public view?
> 
> I wonder who would put credentials in clear text into the request and
> then display the request itself?

The original bug report now lives at:
https://bugs.launchpad.net/zope2/+bug/142434

The original issue doesn't apply anymore, since the error_log is no
longer used or populated in repoze.zope2.

The issue also mentions that __ac_password should be kept away from user
code, which sounds more reasonable as it is an actual key used inside
Zope2 and not just guessing a name.

The only place where this name is used is inside the FTPRequest in
ZPublisher. The code there is indeed dubious and does:

self.other['__ac_password']=channel.password

>From what I can tell fixing this particular problem in FTPRequest is
reasonable. Since repoze.zope2 neither uses nor supports the FTPRequest
or FTPServer from ZServer, I don't see any need for code inside
repoze.zope2 though.

Hanno

_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Reply via email to