subject:"Re\: \[Repoze\-dev\] \[Repoze\-checkins\] r4659 \- repoze.zope2\/trunk\/repoze\/zope2"

Re: [Repoze-dev] [Repoze-checkins] r4659 - repoze.zope2/trunk/repoze/zope2

2009-05-12 Thread Tres Seaver

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hanno Schlichting wrote:

 Removed _filterPasswordFields hack, preventing keys with the exact
 key 'passw' to be filtered out in one place is just obscurity.

But you didn't de-obfuscate it, you ripped it out.  Now, the response
view shows credentials, which is a security hole.


Tres.
- --
===
Tres Seaver  +1 540-429-0999  tsea...@palladion.com
Palladion Software   Excellence by Designhttp://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKCYGj+gerLs4ltQ4RAgEXAJ9UwTRuxLOIi9dKtPniWCUWF6VCXQCg0SAT
/3oboceYU9iI/mnq7K8ErOQ=
=Hm3K
-END PGP SIGNATURE-
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Re: [Repoze-dev] [Repoze-checkins] r4659 - repoze.zope2/trunk/repoze/zope2

2009-05-12 Thread Malthe Borch

2009/5/12 Tres Seaver tsea...@palladion.com:
 The server side wouldn't know that:  the presence of such a field in the
 request is completely independent of any form (e.g., cookies passed long
 after logging in).

I understand the issue, but shouldn't the remedy be to avoid ever
displaying request data in a public view?

\malthe
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Re: [Repoze-dev] [Repoze-checkins] r4659 - repoze.zope2/trunk/repoze/zope2

Re: [Repoze-dev] [Repoze-checkins] r4659 - repoze.zope2/trunk/repoze/zope2

2 matches

Site Navigation

Mail list logo

Footer information