> > > Just to be safe ... You shouldn't use this entire patch unless your
> > > server is behind apache or a proxy server and best if protected by a
> > > firewall. It could open a potential security leak if you use the
> > > "domains" field for authentication and the zope server is not
> > > protected by apache.
> >
> > Is the issue that the X-Forwarded-For header controls the domain setting?
> >
>yes ... everyone should probably not use this patch

Thanks guys!
My apologies if I kicked the ball a little harder than was needed to get it 

In any case, it looks like a little more work is required before this patch
will be ready for mainstream.

'HTTP_X_FORWARDED_FOR' should probably be ignored unless Zope is
explicitly told to look at it. A list of allowed proxiers, perhaps set as a
startup parameter?
Or a switch to turn it on (off by default) and a warning about restricting 
direct connections to Zope are allowed from?

In the meantime, a couple of restrictive firewall rules on the my Zope box 
prevent malicious users from connecting directly to Zope with fake


Soon as I get it all working perfectly I'll be putting everything I know about
using Zope with mod_proxy in a doc for zope.org. (Yes, yet another match
when you search for "proxypass", hopefully the last needed for while.)

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to