On Tue, Mar 01, 2011 at 01:36:55AM +0600, Ivan Shmakov wrote: > The current version of rt-mailgate(1) relies on a specific > “backdoor” to access the REST interface of RT, like: > > <Location /rt/REST/1.0/NoAuth> > Order allow,deny > Allow from ::1 127.0.0.0/8 > Satisfy any > </Location> > > However, this configuration is insecure in at least two > situations: > > • the RT installation is on a different host, so that the IP > address may be spoofed; > > • the host is used for Shell accounts of some less trusted > folks. > > OTOH, given that the HTTP basic authentication is only a matter > of calling the LWP::UserAgent's ->credentials () method (as per > the documentation [1]), it doesn't seem like a big deal to have > it supported.
I thought about forwarding this straight into the upstream bugtracker, but it might be worth you raising this on rt-users first. If it's simple as you suggest, and you have a desire for it, then it might be a case of arguing the point by submission of a suitable patch :) Best wishes, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
