Just to be safe ... You shouldn't use this entire patch unless your server is behind apache or a proxy server and best if protected by a firewall. It could open a potential security leak if you use the "domains" field for authentication and the zope server is not protected by apache.
Is the issue that the X-Forwarded-For header controls the domain setting?
yes ... everyone should probably not use this patch right-out-of-the-box.
Thanks guys! My apologies if I kicked the ball a little harder than was needed to get it rolling. In any case, it looks like a little more work is required before this patch will be ready for mainstream. 'HTTP_X_FORWARDED_FOR' should probably be ignored unless Zope is explicitly told to look at it. A list of allowed proxiers, perhaps set as a startup parameter? Or a switch to turn it on (off by default) and a warning about restricting where direct connections to Zope are allowed from? In the meantime, a couple of restrictive firewall rules on the my Zope box will prevent malicious users from connecting directly to Zope with fake HTTP_X_FORWARDED_FOR. Adam ps. Soon as I get it all working perfectly I'll be putting everything I know about using Zope with mod_proxy in a doc for zope.org. (Yes, yet another match when you search for "proxypass", hopefully the last needed for while.)