A security vulnerability was recently discovered by Björn Grüning with Galaxy's
"user impersonation" feature that can expose an administrator's active history
to users whom they impersonate. Only Galaxy instances with
`allow_user_impersonation = True` set in their configurations are affected, and
only if an administrator makes use of the impersonation feature. By default,
user impersonation is disabled.
A fix (id: 9d42f1e32efb) has been provided in the stable branch of Galaxy. To
apply the fix, ensure you are on the stable branch and upgrade to the latest
% hg branch
% hg pull -u
For Galaxy installations on relatively old versions that administrators are not
yet ready to upgrade, there are three workarounds. First, the patch can be
downloaded and applied manually:
% wget -o security.patch
% hg patch security.patch
% patch -p1 < security.patch
Second, the impersonation feature can be disabled by setting the following
option in Galaxy's configuration file:
allow_user_impersonation = False
In all of the above cases, the Galaxy server process(es) must be restarted for
the change to take effect.
Third, the feature can be left enabled and unpatched, and the vulnerability can
be worked around by educating administrators who use the feature. As long as a
new history is created by the administrator prior to switching to the
impersonated user, no data will be exposed to the impersonated user.
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
To search Galaxy mailing lists use the unified search at: