[Zope] Re: [Zope-dev] Zope 2.1.4 released...

Lalo Martins lalo@webcom.com
Wed, 9 Feb 2000 19:54:54 -0200


On Wed, Feb 09, 2000 at 04:54:48PM -0500, Brian Lloyd wrote:
> 
> This update prevents the REQUEST object from being traversable 
> by web clients. While this feature was useful for debugging, 
> Evan Simpson noted a potential security issue that could allow 
> web authors to play client scripting tricks and make them appear 
> (to the user) to be coming from a Zope site.

Sorry, I don't get it. Can you elaborate? I don't see how this
is a problem.

And how exactly ``traversing'' is banned? Can't I
<dtml-var REQUEST> anymore, or are you talking about direct
access via some URL?

[]s,
                                               |alo
                                               +----
--
      I am Lalo of deB-org. You will be freed.
                 Resistance is futile.

http://www.webcom.com/lalo      mailto:lalo@webcom.com
                 pgp key in the web page

Debian GNU/Linux       ---       http://www.debian.org
Brazil of Darkness   --   http://zope.gf.com.br/BroDar