From a2680f1909b435af92067de9830ac92c34ba7411 Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Thu, 29 Oct 2015 17:06:43 -0500
Subject: add a note about userid security issues from #2060

---
 TODO.txt | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'TODO.txt')

diff --git a/TODO.txt b/TODO.txt
index e738b58d8..837c9d681 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -47,11 +47,9 @@ Nice-to-Have
   the templates chapter and elsewhere.  Scan the documentation for reference
   to a renderer as *only* view configuration (it's a larger concept now).
 
-- Add better docs about what-to-do-when-behind-a-proxy: paste.urlmap ("/foo =
+- Add better docs about what-to-do-when-behind-a-proxy: rutter ("/foo =
   app1" and "domain app1.localhost = app1"), ProxyPreserveHost and the nginx
-  equivalent, preserving HTTPS URLs.
-
-- Alias the stupid long default session factory name.
+  proxy_params, preserving HTTPS URLs.
 
 - Debug option to print view matching decision (e.g. debug_viewlookup or so).
 
@@ -163,3 +161,5 @@ Probably Bad Ideas
 
 - _fix_registry should dictify the registry being fixed.
 
+- Apply a prefix to the userid principal to avoid poisoning the principal
+  namespace. See https://github.com/Pylons/pyramid/issues/2060
-- 
cgit v1.2.3