[Zope] ZHTTP Server allows server name

ender kthangavelu@earthlink.net
Sun, 11 Mar 2001 04:22:38 -0800


On Sunday 11 March 2001 04:25, Oleg Broytmann wrote:
>>Hello!
>>
>>   Our system/network admins scanned our local network and found on my
>>computer strange proxy :)
>>
>>> telnet localhost 8080
>>
>>Trying 127.0.0.1...
>>Connected to localhost.
>>Escape character is '^]'.
>>GET http://www.zope.org/ HTTP/1.0
>>Host: localhost
>>
>>   Then Zope returned root page of localhost, not www.zope.org, so it is
>>not security hole, but anyway I think ZServer should not accept server name
>>in he request. Instead an error (perhaps HTTP error 400) should be
>>returned.
>>   Should I report this to Collector?

probably as a feature request to z2.py for a check host option, else you'll 
be hosing those doing virtual hosting.

kapil