Alex Raitz <alex.ra...@gmail.com> added the comment: Per the first line of my previous comment, please ignore HTTP_REMOTE_USER.
The risk is that if the proxy does not place the user-supplied 'remote-user=VALUE1' before the proxy-supplied 'REMOTE_USER=VALUE2', wsgiref will overload REMOTE_USER with the value of REMOTE-USER. 1) Client supplies 'REMOTE-USER=admin' 2) Proxy adds 'REMOTE_USER=normal_user' and appends 'REMOTE-USER=admin' 3) Server using wsgiref processes header key/value 'REMOTE_USER=normal_user' and performs lowercase/replace, resulting in 'remote_user=normal_user' 4) Server using wsgiref continues to process the header, performs lowercase/replace on 'REMOTE-USER=admin', resulting in 'remote_user=admin', which overloads the proxy-supplied value for 'remote_user' and allows for arbitrary privilege escalation. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue10751> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
