On 2 June 2010 18:11, Joshua Paine wrote:
> Only 127.0.0.1 is privileged, right? So can we just not trust
> X-Forwarded-For: 127.0.0.1 no matter who says it, and not worry if
> X-Forwarded-For is abused otherwise?
>
No. Fossil keys its login cookies off the user's IP address. If the user
can pr
I have released a windows console application, FossilScope, to get alerts on
new activity by others on any of your fossil repositories.
The fossil timeline shows everything that happens in one repository. But it
can be hard to spot activity by other people, when it is scattered over
several dif
Only 127.0.0.1 is privileged, right? So can we just not trust
X-Forwarded-For: 127.0.0.1 no matter who says it, and not worry if
X-Forwarded-For is abused otherwise?
--
Joshua Paine
LetterBlock: Web applications built with joy
http://letterblock.com/
301-576-1920
___
On Jun 2, 2010, at 05:00, June 1, 2010 05:17:39 PDT, Richard Hipp wrote:
> [7] In the odd case that I actually convinced you that http proxying
> is a
> better solution than SCGI for integrating a fossil repo into a larger
> website, adding support for "X-Forwarded-For" is just a few extra
> l
DRH wrote:
> Here again, we need to be mindful of security. Miscreants can easily
forge
> an x-forwarded-for: line in an HTTP request and in the default
> configuration
> Fossil allows requests requests from 127.0.0.1 to bypass the login
> mechanism. (That login bypass for 127.0.0.1 makes the "f
5 matches
Mail list logo
