[request-tracker-maintainers] Bug#615890: Bug#615890: rt-mailgate(1) should support some HTTP authentication
Dominic Hargreaves
dom at earth.li
Thu Mar 3 18:54:48 UTC 2011
On Tue, Mar 01, 2011 at 01:36:55AM +0600, Ivan Shmakov wrote:
> The current version of rt-mailgate(1) relies on a specific
> “backdoor” to access the REST interface of RT, like:
>
> <Location /rt/REST/1.0/NoAuth>
> Order allow,deny
> Allow from ::1 127.0.0.0/8
> Satisfy any
> </Location>
>
> However, this configuration is insecure in at least two
> situations:
>
> • the RT installation is on a different host, so that the IP
> address may be spoofed;
>
> • the host is used for Shell accounts of some less trusted
> folks.
>
> OTOH, given that the HTTP basic authentication is only a matter
> of calling the LWP::UserAgent's ->credentials () method (as per
> the documentation [1]), it doesn't seem like a big deal to have
> it supported.
I thought about forwarding this straight into the upstream bugtracker,
but it might be worth you raising this on rt-users first. If it's simple
as you suggest, and you have a desire for it, then it might be a case of
arguing the point by submission of a suitable patch :)
Best wishes,
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the pkg-request-tracker-maintainers
mailing list