[From nobody Tue May 26 11:17:12 2026 Received: (at submit) by bugs.debian.org; 28 Feb 2011 19:38:54 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-bugs.debian.org_2005_01_02 (2008-06-10) on busoni.debian.org X-Spam-Level: X-Spam-Bayes: score:0.0000 Tokens: new, 15; hammy, 140; neutral, 48; spammy, 1. spammytokens:0.941-+--Order hammytokens:0.000-+--H*u:Gnus, 0.000-+--H*u:linux, 0.000-+--H*UA:linux, 0.000-+--H*UA:gnu, 0.000-+--H*u:gnu X-Spam-Status: No, score=-13.4 required=4.0 tests=BAYES_00, FOURLA, HAS_PACKAGE, PGPSIGNATURE, URIBL_CNKR autolearn=ham version=3.2.5-bugs.debian.org_2005_01_02 Return-path: <ivan@main.uusia.org> Received: from ip.uusia.org ([62.109.10.102]) by busoni.debian.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <ivan@main.uusia.org>) id 1Pu8vm-0007Q8-2B for submit@bugs.debian.org; Mon, 28 Feb 2011 19:38:54 +0000 Received: from waterlily.ip.uusia.org ([62.109.12.37] helo=waterlily.siamics.net) by ip.uusia.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <ivan@main.uusia.org>) id 1Pu8u0-0001ty-5K; Mon, 28 Feb 2011 19:37:04 +0000 Received: from violet.siamics.net ([2002:3e6d:c25::1:1d]) by waterlily.siamics.net with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <ivan@main.uusia.org>) id 1Pu8tu-0003sQ-0K; Tue, 01 Mar 2011 01:36:58 +0600 Received: from localhost ([::1] helo=violet.siamics.net) by violet.siamics.net with esmtp (Exim 4.69) (envelope-from <ivan@main.uusia.org>) id 1Pu8tt-00010g-MU; Tue, 01 Mar 2011 01:36:57 +0600 From: Ivan Shmakov <ivan@main.uusia.org> To: submit@bugs.debian.org Cc: Ivan Shmakov <oneingray@gmail.com> Subject: rt-mailgate(1) should support some HTTP authentication Reply-To: Ivan Shmakov <oneingray@gmail.com> Date: Tue, 01 Mar 2011 01:36:55 +0600 Message-ID: <874o7oc5ns.fsf@violet.siamics.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Delivered-To: submit@bugs.debian.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Package: rt3.8-clients Version: 3.8.8-7 Severity: wishlist The current version of rt-mailgate(1) relies on a specific =E2=80=9Cbackdoor=E2=80=9D to access the REST interface of RT, like: <Location /rt/REST/1.0/NoAuth> Order allow,deny Allow from ::1 127.0.0.0/8 Satisfy any </Location> However, this configuration is insecure in at least two situations: =E2=80=A2 the RT installation is on a different host, so that the IP address may be spoofed; =E2=80=A2 the host is used for Shell accounts of some less trusted folks. OTOH, given that the HTTP basic authentication is only a matter of calling the LWP::UserAgent's ->credentials () method (as per the documentation [1]), it doesn't seem like a big deal to have it supported. [1] http://search.cpan.org/~gaas/libwww-perl-5.837/lib/LWP/UserAgent.pm =2D-=20 FSF associate member #7257 --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAk1r+VcACgkQ+MvqjYjLOAyIEQCg1BRmpC7QfInN/ZjROriXxTKS QnAAn3bQ+0jlNXhvvt4KOhSUvkb6/SHb =cWwN -----END PGP SIGNATURE----- --=-=-=-- ]