[request-tracker-maintainers] Bug#476269: Bug#476269: default apache config should limit REST requests
Niko Tyni
ntyni at debian.org
Thu Apr 17 11:17:55 UTC 2008
tag 476269 etch
found 476269 3.6.6-2
thanks
On Tue, Apr 15, 2008 at 03:42:06PM +0200, Arthur de Jong wrote:
> Subject: default apache config should limit REST requests
> The default installation of request tracker ships with sample config
> files for Apache that are missing an important directive that may be
> unnoticed. A part of the web interface is used for inserting email into
> the system (this is used by rt-mailgate).
> <Location /rt/REST/1.0/NoAuth>
> Order Allow,Deny
> Allow from 127.0.0.1
> </Location>
>
> Giving direct access to the REST interface allows users to bypass mail
> filtering rules.
Thanks for the report. This would indeed be a better default.
I'll add this in the next upload. I don't think the security implications
are so severe as to warrant an update for Etch, though.
Cheers,
--
Niko Tyni ntyni at debian.org
More information about the pkg-request-tracker-maintainers
mailing list