[Zope-dev] Vulnerability: attacking can get file list and directory

Chris Withers chrisw@nipltd.com
Mon, 24 Sep 2001 16:49:06 +0100


Shane Hathaway wrote:
> 
> PDV just yields information you might give out anyway.  But maybe we
> could deal with it anyway by writing an "error.log" instead of sending
> the traceback to the browser.  What do you think?

Well, how about just changing the brain-dead way standard_error_message works?

The traceback should _not_ be _appended_ to the error message. If an app
developer chooses to show it, then fine they can as they do already (mine sends
me an error email ;-), but why should it be appended in all circumstances (even
if it is in html quoting on production servers?!)

Oh yeah, Authentication exceptions shouldn't return a hard coded error message
either...

bah humbug ;-)

Chris