[issue10751] WSGIREF - REMOTE_USER and REMOTE-USER collision

Alex Raitz Tue, 21 Dec 2010 14:46:22 -0800

New submission from Alex Raitz <alex.ra...@gmail.com>:

Clients can overwrite 'REMOTE_USER' header variable value with an arbitrary 
'Remote-User' value by specifying the later after the former.


This has tricky implications when a proxy server is being used, namely that if 
the proxy passes a re-written REMOTE_USER but also the user-supplied 
'Remote-User', Python WSGI will actually store HTTP_REMOTE_USER as the value of 
the user-supplied 'Remote-User' header based on the order that the headers are 
processed. 

./python2.6/wsgiref/headers.py:

184         for k, v in _params.items():
185             if v is None:
186                 parts.append(k.replace('_', '-'))
187             else:
188                 parts.append(_formatparam(k.replace('_', '-'), v))

----------
components: Extension Modules
messages: 124466
nosy: Alex.Raitz
priority: normal
severity: normal
status: open
title: WSGIREF - REMOTE_USER and REMOTE-USER collision
type: security
versions: Python 2.6, Python 2.7

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue10751>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue10751] WSGIREF - REMOTE_USER and REMOTE-USER collision

Reply via email to