Hanno Schlichting wrote:
> Malthe Borch wrote:
>> 2009/5/12 Tres Seaver <tsea...@palladion.com>:
>>> The server side wouldn't know that:  the presence of such a field in the
>>> request is completely independent of any form (e.g., cookies passed long
>>> after logging in).
>> I understand the issue, but shouldn't the remedy be to avoid ever
>> displaying request data in a public view?
> I wonder who would put credentials in clear text into the request and
> then display the request itself?

The original bug report now lives at:

The original issue doesn't apply anymore, since the error_log is no
longer used or populated in repoze.zope2.

The issue also mentions that __ac_password should be kept away from user
code, which sounds more reasonable as it is an actual key used inside
Zope2 and not just guessing a name.

The only place where this name is used is inside the FTPRequest in
ZPublisher. The code there is indeed dubious and does:


>From what I can tell fixing this particular problem in FTPRequest is
reasonable. Since repoze.zope2 neither uses nor supports the FTPRequest
or FTPServer from ZServer, I don't see any need for code inside
repoze.zope2 though.


Repoze-dev mailing list

Reply via email to