From ed860311daf7e8187b9ee09d7db3896ce53be1c9 Mon Sep 17 00:00:00 2001
From: Jake Ichikawa <jake.ichikawa@salesforce.com>
Date: Tue, 19 Sep 2023 09:18:39 -0700
Subject: [PATCH 1/2] Add readme note for running TabPy unauthenticated.

---
 README.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/README.md b/README.md
index 9075f07b..96d301f5 100755
--- a/README.md
+++ b/README.md
@@ -27,6 +27,18 @@ Consider reading TabPy documentation in the following order:
 * [Authoring Python calculations in Tableau](docs/TableauConfiguration.md).
 * [TabPy Tools](docs/tabpy-tools.md)
 
+Important security note:
+
+* By default, TabPy is configured without username/password authentication.
+We strongly advise using TabPy only with authentication enabled. For more
+information, see
+[TabPy Server Configuration Instructions](docs/server-config.md#authentication).
+Without authentication in place, if the TABPY_EVALUATE_ENABLE feature is
+enabled (as it is by default), there is the possibility that unauthenticated
+individuals could remotely execute code on the machine running TabPy.
+Leaving these two settings in their default states together is highly
+discouraged.
+
 Troubleshooting:
 
 * [TabPy Wiki](https://github.com/tableau/TabPy/wiki)

From 232631881120cdf38192d836a836dd122f3ce5eb Mon Sep 17 00:00:00 2001
From: Jake Ichikawa <jake.ichikawa@salesforce.com>
Date: Tue, 19 Sep 2023 09:19:03 -0700
Subject: [PATCH 2/2] Remove reference to Tableau Server username.

---
 docs/server-config.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/server-config.md b/docs/server-config.md
index 3f0ce0a9..4b76b88d 100755
--- a/docs/server-config.md
+++ b/docs/server-config.md
@@ -314,14 +314,14 @@ For extended logging (e.g. for auditing purposes) additional logging can be turn
 on with setting `TABPY_LOG_DETAILS` configuration file parameter to `true`.
 
 With the feature on additional information is logged for HTTP requests: caller ip,
-URL, client infomation (Tableau Desktop\Server), Tableau user name (for Tableau Server)
-and TabPy user name as shown in the example below:
+URL, client infomation (Tableau Desktop\Server) and TabPy user name as shown in
+the example below:
 
 <!-- markdownlint-disable MD013 -->
 <!-- markdownlint-disable MD040 -->
 
 ```
-2019-05-02,13:50:08 [INFO] (base_handler.py:base_handler:90): Call ID: 934073bd-0d29-46d3-b693-b1e4b1efa9e4, Caller: ::1, Method: POST, Resource: http://localhost:9004/evaluate, Client: Postman for manual testing, Tableau user: ogolovatyi
+2019-05-02,13:50:08 [INFO] (base_handler.py:base_handler:90): Call ID: 934073bd-0d29-46d3-b693-b1e4b1efa9e4, Caller: ::1, Method: POST, Resource: http://localhost:9004/evaluate, Client: Postman for manual testing
 2019-05-02,13:50:08 [DEBUG] (base_handler.py:base_handler:120): Checking if need to handle authentication, <<
 call ID: 934073bd-0d29-46d3-b693-b1e4b1efa9e4>>
 2019-05-02,13:50:08 [DEBUG] (base_handler.py:base_handler:120): Handling authentication, <<call ID: 934073bd-