[New-bugs-announce] [issue10751] WSGIREF - REMOTE_USER and REMOTE-USER collision

Alex Raitz report at bugs.python.org
Tue Dec 21 23:46:16 CET 2010

New submission from Alex Raitz <alex.raitz at gmail.com>:

Clients can overwrite 'REMOTE_USER' header variable value with an arbitrary 'Remote-User' value by specifying the later after the former.

This has tricky implications when a proxy server is being used, namely that if the proxy passes a re-written REMOTE_USER but also the user-supplied 'Remote-User', Python WSGI will actually store HTTP_REMOTE_USER as the value of the user-supplied 'Remote-User' header based on the order that the headers are processed. 


184         for k, v in _params.items():
185             if v is None:
186                 parts.append(k.replace('_', '-'))
187             else:
188                 parts.append(_formatparam(k.replace('_', '-'), v))

components: Extension Modules
messages: 124466
nosy: Alex.Raitz
priority: normal
severity: normal
status: open
title: WSGIREF - REMOTE_USER and REMOTE-USER collision
type: security
versions: Python 2.6, Python 2.7

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list