New submission from Alex Raitz <[email protected]>:
Clients can overwrite 'REMOTE_USER' header variable value with an arbitrary
'Remote-User' value by specifying the later after the former.
This has tricky implications when a proxy server is being used, namely that if
the proxy passes a re-written REMOTE_USER but also the user-supplied
'Remote-User', Python WSGI will actually store HTTP_REMOTE_USER as the value of
the user-supplied 'Remote-User' header based on the order that the headers are
processed.
./python2.6/wsgiref/headers.py:
184 for k, v in _params.items():
185 if v is None:
186 parts.append(k.replace('_', '-'))
187 else:
188 parts.append(_formatparam(k.replace('_', '-'), v))
----------
components: Extension Modules
messages: 124466
nosy: Alex.Raitz
priority: normal
severity: normal
status: open
title: WSGIREF - REMOTE_USER and REMOTE-USER collision
type: security
versions: Python 2.6, Python 2.7
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue10751>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
