Thanks for commenting, Massimo.
On 9月19日, 午後5:40, mdipierro <mdipie...@cs.depaul.edu> wrote:
> You are taking risks. People can steal your session cookie, access
> appadmin and from there run any python code using the query string.
oops, pretty scary.
>
> You should not comment those lines but go over https.
Actually, the connection is over HTTPS. Connection to Admin thru HTTP
is still forbidden.
i could login thru HTTPS to Admin by using the password set in
parameters_443.py, but, hitting appadmin.py's index on the Admin's
EDIT screen gave me 400 BAD REQUEST. Commenting out these lines was
the only way i could find to avoid the error so far. Even if these two
lines are commented out, the connection is still HTTPS. Still risky?
i did something i should have done before asking... ran the shell on
web2py, and found
request.env.remote_addr is '127.0.0.1' and
request.env.http_host is '127.0.0.1:8000'
so
request.env.remote_addr != request.env.http_host.split(':')[0]
looks false. Then, it should be ok not to comment out the lines! BUT,
i get the error 400 BAD REQUEST :-(
When i comment these out, no error occurs. This is very confusing to
me... i must have missed something obvious.
will appreciate any hints or suggestions.
>
> Massimo
--
Teru
>
> On Sep 18, 11:46 pm, suiato <homm...@gmail.com> wrote:
>
> > thanks to the instructions on the book and the example
> > web2py_wsgi.conf, i now can run web2py with mod_wsgi on apache. admin
> > with https worked fine, too, but i had to comment out the lines
> > if request.env.remote_addr!=request.env.http_host.split(':')[0]:
> > raise HTTP(400)
> > in models/appadmin.py.
> > is it ok, or am i taking a risk, what kind of risk? any alternatives?
> > will appreciate advice.
>
> > --
> > Teru
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to
web2py+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
