[request-tracker-maintainers] Bug#615890: rt-mailgate(1) should support some HTTP authentication
Ivan Shmakov
ivan at main.uusia.org
Mon Feb 28 19:36:55 UTC 2011
Package: rt3.8-clients
Version: 3.8.8-7
Severity: wishlist
The current version of rt-mailgate(1) relies on a specific
“backdoor” to access the REST interface of RT, like:
<Location /rt/REST/1.0/NoAuth>
Order allow,deny
Allow from ::1 127.0.0.0/8
Satisfy any
</Location>
However, this configuration is insecure in at least two
situations:
• the RT installation is on a different host, so that the IP
address may be spoofed;
• the host is used for Shell accounts of some less trusted
folks.
OTOH, given that the HTTP basic authentication is only a matter
of calling the LWP::UserAgent's ->credentials () method (as per
the documentation [1]), it doesn't seem like a big deal to have
it supported.
[1] http://search.cpan.org/~gaas/libwww-perl-5.837/lib/LWP/UserAgent.pm
--
FSF associate member #7257
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-request-tracker-maintainers/attachments/20110301/375bdf88/attachment.pgp>
More information about the pkg-request-tracker-maintainers
mailing list