Shane Hathaway wrote:

> [...]
> PDV just yields information you might give out anyway.  But maybe we 
> could deal with it anyway by writing an "error.log" instead of sending 
> the traceback to the browser.  What do you think?

I think it's fine, but only if specified on the cmdline or other 
configuration equivalent (--paranoid or PARANOID="yes, please!" come to 
mind :-). But I guess that goes without saying.

Alternatively (or concurrently) we could reformat the traceback to 
report file names relative to Zope instalation directory (or to 
INSTANCE_HOME) instead of reporting the absolute filename. In this case 
the only leaked information is of the kind an attacker could easily 
obtain from downloading Zope source code, which, last time I looked, was 
available for all those damned script kiddies to download. Damn these 
opensource projects who keep posting their source code allowing 
Hackers(TM) to look at its vulnerabilities :-)

     Cheers, Leo

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to