There are two completely different things: 1. the server log 2. the output to the client.
In the first case you may log everything that you thing it is reasonable - stack traces and dumps, relative and absolute paths, etc. It can may be assumed that is secure since in general it is not accessible out of the box. My personal opinion is that even this log have to differ if -D (debug option) is misplayed. In the second case it is better if Zope is returning just the error or the response. In the XML-RPC case the error have to be a valid XML-RPC response, not a stack trace. I can get that a stack trace may be extremely useful for a developer but cant he see the server's error log? BW if a program is expecting XML-RPC response but it is receiving stack trace it may be a little confusing (especially for a not so well written program ;). Zope first have to conform the protocol for XML-RPC exchange (return XML response) and after that to sweet the developers (dump error in the server's log). Regards, Rossen ----- Original Message ----- From: "Dieter Maurer" <[EMAIL PROTECTED]> To: "Shane Hathaway" <[EMAIL PROTECTED]> Cc: "Rossen Raykov" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, April 04, 2002 2:55 PM Subject: Re: [Zope-dev] Re: [Zope] isecure XML-RPC handling. > Shane Hathaway writes: > > If you can, please check out the latest Zope from CVS. Tracebacks no > > longer appear by default, and even when they do, they do not show any > > filesystem paths. (If you already have a checkout, make sure you use > > "cvs up -dP" to get the new product.) > I am very interested in filesystem paths, not necessary absolute ones > but relative pathnames are very helpful to locate a problem. > > > Dieter > _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
