Ticket #850 (defect)
Opened 3 months ago
Last modified 2 months ago
REMOTE_USER should not be set by wsgiserver
Status: closed (fixed)
| Reported by: | ianb@colorstudy.com | Assigned to: | fumanchu |
|---|---|---|---|
| Priority: | normal | Milestone: | 3.1 |
| Component: | wsgiserver | Keywords: | |
| Cc: | ianb@colorstudy.com |
Per http://trac.pythonpaste.org/pythonpaste/ticket/291 -- wsgiserver is setting REMOTE_USER like:
# Set AUTH_TYPE, REMOTE_USER
creds = environ.get("HTTP_AUTHORIZATION", "").split(" ", 1)
environ["AUTH_TYPE"] = creds[0]
if creds[0].lower() == 'basic':
user, pw = base64.decodestring(creds[1]).split(":", 1)
environ["REMOTE_USER"] = user
REMOTE_USER should only be set based on the checking of credentials. That is, you have to check the password. The server simply shouldn't set this value. There's no real purpose to setting AUTH_TYPE either.
This is a security problem, as REMOTE_USER is considered a trusted environmental variable, not one that can be set by a client alone.
Change History
09/27/08 16:09:33: Modified by fumanchu
- status changed from new to closed.
- resolution set to fixed.
- milestone set to 3.1.
Removed in [2042].