I've submitted a patch for this issue: http://trac.symfony-project.org/ticket/4577
Kris On Sep 6, 12:08 pm, Kris Wallsmith <[EMAIL PROTECTED]> wrote: > On Sep 6, 2008, at 11:56 AM, Fabien Potencier wrote: > > > > > > > Kris Wallsmith wrote: > >> ...but I generally try to obscure the technology behind the sites I > >> work > >> on. For example, I always remove the /sf alias from the web > >> directory in > >> production and use a custom CSRF field name. > > >> I see a few more "tells" in the current 1.1 and 1.2 branches that may > >> not be as easy to opt-out of, namely the [1.1, 1.2] sf_format and > >> [1.2] > >> sf_method request parameters. Is there a way to customize these > >> parameter names or disable that magic altogether and rely solely on > >> HTTP > >> headers? If not, this "magic" smells a bit like the whole > >> register_globals debacle... > > > sf_format is never ever revealed in HTML as most of the time, it's > > embedded in your routes. > > Yes, but someone could add ?sf_format=json to a URL and possibly alter > the response, thus revealing the framework. > > > The sf_method parameter is not mandatory. Just don't use PUT and > > DELETE > > in your browser. > > Same case here, someone could add ?sf_method=PUT. > > If this is a case of "convention over configuration" so be it, but it > seems easy enough to add a few parameters to factories.yml and the > sfWebRequest class. > > Thanks again, > Kris > > > Fabien > > >> Thanks, > >> Kris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
