3614 - Security needs improvement (REMOTE_HOST doesn't cut it)

Status: VERIFIED DUPLICATE of bug 20122

(Bugzilla :: Bugzilla-General, defect, P3)

Description

[Terry Weissman]

part of bugzilla's security is dependent on the REMOTE_HOST environment
variable, but it seems that apache doesn't always set that.  Need to find
the right thing to use.

Comment 1

[Terry Weissman]

Reassigning to dmose@mozilla.org, who now has front-line responsibility for
all Bonsai and Bugzilla bugs.

Comment 2

[Terry Weissman]

Reassigning back to me.  That stuff about me no longer being the front-line
person responsible for Bugzilla and Bonsai turned out to be short-lived.
Please pardon our confusion, and I'm very sorry about the spam.

Comment 3

[Hixie (not reading bugmail)]

Terry, when you find a better way of doing security please tell me about it,
because REMOTE_HOST is the only way of authenticating cookies that I could
think about when doing my own scripts (without storing passwords on the
client, which is even worse), and using cookies is the only way I have found of
not asking someone to login for every form!

Comment 4

[Terry Weissman]

tara@tequilarista.org is the new owner of Bugzilla and Bonsai.  (For details,
see my posting in netscape.public.mozilla.webtools,
news://news.mozilla.org/38F5D90D.F40E8C1A%40geocast.com .)

Comment 5

[Hixie (not reading bugmail)]

The solution is to use Digest Authentication or Basic Authentication and SSL.

*** This bug has been marked as a duplicate of 20122 ***

Comment 6

[John Unruh]

Verified dupe.

Comment 7

[Dave Miller [:justdave]]

moving to Bugzilla product
reassign to default owner/qa for INVALID/WONTFIX/WORKSFORME/DUPLICATE