[Zope] <code> tag?

Martijn Pieters mj@antraciet.nl
Sun, 29 Aug 1999 07:14:43 +0200


At 02:03 29-8-99 , Mike Winter wrote:
>Hi, just a quick question: how do you get Zope to display DTML without
>evaluating it?

There are two methods, one of which is (to me) a very serious security 
breach: document_src (for which you need the View management screens 
permission), and PrincipiaSearchSource, for which you do not need any 
permissions at all. At any Zope2 site, I can add /PrincipiaSearchSource to 
the URL and see the source of that DTML Method/Document.

I just discovered this, and will report it to the Collector.

--
Martijn Pieters, Web Developer
| Antraciet http://www.antraciet.nl
| T: +31 35 7502100 F: +31 35 7502111
| mj@antraciet.nl http://www.antraciet.nl/~mj
| PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149
---------------------------------------------