Re: [Zope] IIS and Zope share same problem :-S

2000-11-06 Thread Chris Withers
Pierre-Julien Grizel wrote: Hum... A possible way to solve this problem is to practice the "you can't do ANYTHING but..." policy... And, thus, according proxy roles to the methods that must access it, such as index_html. I know it's constraining but with a little work we can end up with

Re: [Zope] IIS and Zope share same problem :-S

2000-10-22 Thread Bill Anderson
Chris Withers wrote: Andrew Kenneth Milton wrote: | | http://www.zope.org/standard_html_header for example ;-) Not that old chestnut again... Yes, that old chestnut again. If it's considered a serious security flaw by Microsoft, maybe the Zope community should finally do

Re: [Zope] IIS and Zope share same problem :-S

2000-10-22 Thread Curtis Maloney
On Fri, 20 Oct 2000, Chris Withers wrote: Andrew Kenneth Milton wrote: | http://www.zope.org/standard_html_header for example ;-) Not that old chestnut again... Yes, that old chestnut again. If it's considered a serious security flaw by Microsoft, maybe the Zope community should finally

Re: [Zope] IIS and Zope share same problem :-S

2000-10-20 Thread Andrew Kenneth Milton
+---[ Chris Withers ]-- | MICROSOFT WEBSERVERS LAID OPEN FOR ALL TO SEE | by Dave Murphy, [EMAIL PROTECTED] | | Microsoft is scrambling to repair damage caused by a | security hole in its IIS 4 5 webserver that runs on | Windows NT/2000. Microsoft claims over four

Re: [Zope] IIS and Zope share same problem :-S

2000-10-20 Thread Pierre-Julien Grizel
Hum... A possible way to solve this problem is to practice the "you can't do ANYTHING but..." policy... And, thus, according proxy roles to the methods that must access it, such as index_html. I know it's constraining but with a little work we can end up with something quite secure secret.

Re: [Zope] IIS and Zope share same problem :-S

2000-10-20 Thread Ragnar Beer
As I already suggested ages ;) ago (and still didn't put into practice) it would here again be best to deny everything that isn't explicitly allowed (e.g. allow whatever ends with _html or .html and deny everything else) but then I would have to go over the whole website and make bazillions