We just discovered that when using VirtualHostMonster in apache
RewriteRules, it is possible to access every content in the zope
instance. If the URL points to a subfolder, just like
then it's still possible to access content below that subfolder on the
instance. If $1 is some foldername that doesn't exist in the subfolder
bug instead in the root folder of the instance, it's content is returned.

An example to make it explicit:

Let's assume we have three directories in the root folder of the
instance: /project1, /project2 and /project3.

The VirtualHostMonster is used to access project2 directly via
RewriteRule ^/(.*) 

But both project1 and project3 are also accessible through project2.com
over the URLs "http://www.project2.com/project1"; and

Is this a known issue? I consider that as a quite serious bug, as both
project1 and project3 might be private and should not be published over
the globally available apache rewriterule.

We do use zope2.10.5 on a debian/etch system.

Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to