[Zope] URLs expose information which we'd like to hide

Dieter Maurer dieter at handshake.de
Thu Feb 5 13:33:26 EST 2004


Dennis Allison wrote at 2004-2-4 13:51 -0800:
>Dieter, can you elaborate on this a bit.  Passing parameter with the 
>URL (for example,  http://foo.goo.com?p1=v1&p2=v2 ) seems to be locked
>in pretty deeply in the Zope paradigm.  What would be your suggestion?

HTML is not designed to be secure against curious users....

When you try to hide parameters, I will use a TCPLogger to
see what is on the wire.

When you use HTTPS, I will analyse the HTML source to determine
your secrets.

>On Wed, 4 Feb 2004, Dieter Maurer wrote:
>> Dennis Allison wrote at 2004-2-4 08:09 -0800:
>> > ...
>> >The parameters passed by GET and, to a lesser extent, the URLs themselves,
>> >represent a security issue in one of our systems. 
>> 
>> Rethink what you are doing....

-- 
Dieter



More information about the Zope mailing list