[issue10751] REMOTE_USER and Remote-User collision in wsgiref
Alex Raitz
report at bugs.python.org
Tue Jan 4 23:40:34 CET 2011
Alex Raitz <alex.raitz at gmail.com> added the comment:
Per the first line of my previous comment, please ignore HTTP_REMOTE_USER.
The risk is that if the proxy does not place the user-supplied 'remote-user=VALUE1' before the proxy-supplied 'REMOTE_USER=VALUE2', wsgiref will overload REMOTE_USER with the value of REMOTE-USER.
1) Client supplies 'REMOTE-USER=admin'
2) Proxy adds 'REMOTE_USER=normal_user' and appends 'REMOTE-USER=admin'
3) Server using wsgiref processes header key/value 'REMOTE_USER=normal_user' and performs lowercase/replace, resulting in 'remote_user=normal_user'
4) Server using wsgiref continues to process the header, performs lowercase/replace on 'REMOTE-USER=admin', resulting in 'remote_user=admin', which overloads the proxy-supplied value for 'remote_user' and allows for arbitrary privilege escalation.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue10751>
_______________________________________
More information about the Python-bugs-list
mailing list