New submission from Alex Raitz :
Clients can overwrite 'REMOTE_USER' header variable value with an arbitrary
'Remote-User' value by specifying the later after the former.
This has tricky implications when a proxy server is being used, namely that if
the proxy passes a re
Alex Raitz added the comment:
Yes, I was referring to REMOTE_USER, apologies for the conflation with
HTTP_REMOTE_USER, which was one of the HTTP headers that a proxy which we were
testing was setting.
The customer that reported this issue to us was using FireFox with Tamper Data
to set
Alex Raitz added the comment:
Per the first line of my previous comment, please ignore HTTP_REMOTE_USER.
The risk is that if the proxy does not place the user-supplied
'remote-user=VALUE1' before the proxy-supplied 'REMOTE_USER=VALUE2', wsgiref
will overload REMOTE_US
Alex Raitz added the comment:
I had previously tested it against simple_server. However, in reviewing my
test, I realized that you are correct that wsgiref headers is not misbehaving.
It appears that in simple_server, the values of remote-user and remote_user
both end up in
