On Tue, Oct 11, 2011 at 04:59:16PM -0400, Richard Hipp wrote: > If you are using .htaccess style authentication for a Fossil instance on a > website, you have to check the "Allow REMOTE_USER authentication" box on the > /Admin/Access page to enable it. That's a little obscure. I wonder if we > should just make Fossil honor REMOTE_USER by default when it is running as > CGI. Are there any adverse security considerations here?
If the site does not require http authentication, may a user force the remote user through: "http://[email protected]/";, and then bypass the fossil login? _______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
