cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Collen <tcol...@neuagency.com>
Subject cocoon-view as possible security problem?
Date Thu, 20 Mar 2003 21:14:31 GMT
Browsing the livesites, on a whim I tried this URL:

http://dir.salon.com/?cocoon-view=content

and it worked!  Obviously someone deploying Cocoon should be aware that
this view is "on" by default, and may reveal data in your page you might
not want.  I have yet to see "bad" data get exposed, but there's always
the possibility.

Do we want the views turned off by default, and have a message in the
sitemap about enabling the views?  Would it make more sense to have
thename of the "cocoon-view" parameter be able to be changed via
configuration?  Say I wanted the parameter to be my-view instead of
cocoon-view.  Security through obscurity?


Tony




Mime
View raw message