[New-bugs-announce] [issue10751] WSGIREF - REMOTE_USER and REMOTE-USER collision
Alex Raitz
report at bugs.python.org
Tue Dec 21 23:46:16 CET 2010
New submission from Alex Raitz <alex.raitz at gmail.com>:
Clients can overwrite 'REMOTE_USER' header variable value with an arbitrary 'Remote-User' value by specifying the later after the former.
This has tricky implications when a proxy server is being used, namely that if the proxy passes a re-written REMOTE_USER but also the user-supplied 'Remote-User', Python WSGI will actually store HTTP_REMOTE_USER as the value of the user-supplied 'Remote-User' header based on the order that the headers are processed.
./python2.6/wsgiref/headers.py:
184 for k, v in _params.items():
185 if v is None:
186 parts.append(k.replace('_', '-'))
187 else:
188 parts.append(_formatparam(k.replace('_', '-'), v))
----------
components: Extension Modules
messages: 124466
nosy: Alex.Raitz
priority: normal
severity: normal
status: open
title: WSGIREF - REMOTE_USER and REMOTE-USER collision
type: security
versions: Python 2.6, Python 2.7
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue10751>
_______________________________________
More information about the New-bugs-announce
mailing list