[Zope-dev] Patch acceptance. What about this one?
Joseph Wayne Norton
norton@alum.mit.edu
Fri, 28 Dec 2001 14:09:01 +0900
At Fri, 28 Dec 2001 00:14:21 -0500,
Chris McDonough wrote:
>
> > At the time, I hadn't received any feedback (however, I'm not blaming
> > anyone). I also never posted this to the collector before. Should one
> > of us post this?
>
> It would be appreciated, Joseph.
ok ... I can post this afternoon.
>
> > Just to be safe ... You shouldn't use this entire patch unless your
> > server is behind apache or a proxy server and best if protected by a
> > firewall. It could open a potential security leak if you use the
> > "domains" field for authentication and the zope server is not
> > protected by apache.
>
> Is the issue that the X-Forwarded-For header controls the domain setting?
>
yes ... everyone should probably not use this patch
right-out-of-the-box.
- j