[Zope] Site Error Messages
emf
mindlace@imeme.net
Tue, 20 Nov 2001 22:40:54 -0700
Michael wrote:
> On Mon, 19 Nov 2001, emf wrote:
>
>
>>IMHO, you'll probably regret this :)
>>
>
> Considering your warning, I have to ask, are there any other options? What
> do others do on a production site, just allow users to view their directory
> structure? Wouldn't this be somewhat of a security hole? I don't mind
> having a traceback for internal purposes, I just don't want users to have the
> ability to see it.
well, the patch I gave you will not override traceback if the -D flag is
turned on.
You could patch it more extensively and make it email or log the
traceback, if you liked.
I'm not convinced it's that much of a security risk, to be honest.
Indeed, "send me the error page" has been a good thing for me more than
once.
Basically, if your security depends on users not being able to see your
directory structure, you've got big concerns that won't be addressed by
hiding the traceback.
HTH,
--
ethan mindlace fremen | iMeme - The most full featured Zope Host
http://mindlace.net | Root, ZEO, MySQL, Mailman, Unlimited Domains
iMeme Partner | http://iMeme.net
"It is our desire to remain what we are that limits us. -- Project 2501"