default configuration exposes template code and paths
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 3 |
Fix Released
|
Medium
|
Christian Theune |
Bug Description
The default configuration of Zope 3 has the very convenient feature that you can include a URL path step like /++debug++source/ to see comments in the page template source of the absolute paths of the templates on the filesystem, and /++debug++tal/ to see the source to the page template in comments in the rendered page template.
This debugging aid is enabled by default, and it isn't obvious how to turn it off. I expect most Zope 3 sites in production have this feature enabled. This is a marginal security risk on all systems (exposure of filesystem paths), and a security and confidentiality issue for non-open-source applications (exposure of page template source to the public that you didn't think would be exposed).
What should happen is that this feature should be disabled by default, and should be enabled only if someone explicitly turns it on.
A workaround is to put your Zope server behind something like Apache, and disallow requests with a URL that include the offending path steps.
The ++debug++ namespace traverser is registered in zope.app. traversing/ configure. zcml (last directive). I propose to add zcml:condition= "have developer-mode" to this directive to prevent it from being loaded when developer mode is turned off. That should be the case for all production sites, really.