diff options
| author | Michael Merickel <michael@merickel.org> | 2015-10-29 17:06:43 -0500 |
|---|---|---|
| committer | Michael Merickel <michael@merickel.org> | 2015-10-29 17:06:43 -0500 |
| commit | a2680f1909b435af92067de9830ac92c34ba7411 (patch) | |
| tree | 459a1693046a709d476ca5a50c0588b80a804b81 /TODO.txt | |
| parent | a09bc0d2e4ddaf8099bc7f6d0e42948534282a55 (diff) | |
| download | pyramid-a2680f1909b435af92067de9830ac92c34ba7411.tar.gz pyramid-a2680f1909b435af92067de9830ac92c34ba7411.tar.bz2 pyramid-a2680f1909b435af92067de9830ac92c34ba7411.zip | |
add a note about userid security issues from #2060
Diffstat (limited to 'TODO.txt')
| -rw-r--r-- | TODO.txt | 8 |
1 files changed, 4 insertions, 4 deletions
@@ -47,11 +47,9 @@ Nice-to-Have the templates chapter and elsewhere. Scan the documentation for reference to a renderer as *only* view configuration (it's a larger concept now). -- Add better docs about what-to-do-when-behind-a-proxy: paste.urlmap ("/foo = +- Add better docs about what-to-do-when-behind-a-proxy: rutter ("/foo = app1" and "domain app1.localhost = app1"), ProxyPreserveHost and the nginx - equivalent, preserving HTTPS URLs. - -- Alias the stupid long default session factory name. + proxy_params, preserving HTTPS URLs. - Debug option to print view matching decision (e.g. debug_viewlookup or so). @@ -163,3 +161,5 @@ Probably Bad Ideas - _fix_registry should dictify the registry being fixed. +- Apply a prefix to the userid principal to avoid poisoning the principal + namespace. See https://github.com/Pylons/pyramid/issues/2060 |