Unauthenticated IP spoofing should not be allowed
Now any server can spoof and get a kickstart file that might have interesting info (such as root password hash). This can be considered a security weakness as you shouldn't be allowed to spoof IPs unauthenticated anyway.
Next to that, as a workaround for #969, I've been forced to filter the allowed URLs in my apache config file (/etc/httpd/conf.d/foreman.conf - Check template sample below).
There is one important issue though. This won't match query strings such as "?spoof=" giving me one more reason for this request.
<Location /> Order Deny,Allow Deny from all <% scope.lookupvar('foreman::params::allowed_ips').split(',').each do |ip| -%> Allow from <%= ip %> <% end -%> Allow from 127.0.0.1 Allow from <%= ipaddress %> </Location> <Location ~ "^/unattended/(kickstart|built)$" > Order Deny,Allow Deny from all <% scope.lookupvar('foreman::params::unattended_allowed_ips').split(',').each do |ip| -%> Allow from <%= ip %> <% end -%> </Location>