Shane Hathaway wrote:
> [...]
> PDV just yields information you might give out anyway. But maybe we
> could deal with it anyway by writing an "error.log" instead of sending
> the traceback to the browser. What do you think?
I think it's fine, but only if specified on the z2.py cmdline or other
configuration equivalent (--paranoid or PARANOID="yes, please!" come to
mind :-). But I guess that goes without saying.
Alternatively (or concurrently) we could reformat the traceback to
report file names relative to Zope instalation directory (or to
INSTANCE_HOME) instead of reporting the absolute filename. In this case
the only leaked information is of the kind an attacker could easily
obtain from downloading Zope source code, which, last time I looked, was
available for all those damned script kiddies to download. Damn these
opensource projects who keep posting their source code allowing
Hackers(TM) to look at its vulnerabilities :-)
Cheers, Leo
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
