Package: rt3.8-clients
Version: 3.8.8-7
Severity: wishlist
The current version of rt-mailgate(1) relies on a specific
“backdoor” to access the REST interface of RT, like:
<Location /rt/REST/1.0/NoAuth>
Order allow,deny
Allow from ::1 127.0.0.0/8
Satisfy any
</Location>
However, this configuration is insecure in at least two
situations:
• the RT installation is on a different host, so that the IP
address may be spoofed;
• the host is used for Shell accounts of some less trusted
folks.
OTOH, given that the HTTP basic authentication is only a matter
of calling the LWP::UserAgent's ->credentials () method (as per
the documentation [1]), it doesn't seem like a big deal to have
it supported.
[1] http://search.cpan.org/~gaas/libwww-perl-5.837/lib/LWP/UserAgent.pm
--
FSF associate member #7257
pgpciu6M37Db1.pgp
Description: PGP signature
