Michael Bernstein wrote:
> Chris Withers wrote:
> >
> > Incidnetally, I think this is a bit of a security hole. You shouldn't
> > get told what you're not allowed to see, especially if it's 'cos you got
> > your password wrong. If you see what I mean ;-)
> I see what you mean here, Chris, but wouldn't this come
> under the heading of a 'security through obscurity' hole?
> ie. you're saying that the system isn't obscure enough?

Not really... I'm saying it shouldn't tell you stuff you _never_ need to
know, like where on your file system the Zope files live.

A lot of this comes from standard_error_message not being used for
authorizaion errors, and Zope's insistence of tacking the traceback onto
error pages it returns, even in production mode :-S

Might have to have a look at this some time ;-)



Zope maillist  -  [EMAIL PROTECTED]
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to