REMOTE_USER and REMOTE-USER collision in wsgiserver/__init__.py

Anonymous avatarAnonymous created an issue

Clients can overwrite 'REMOTE_USER' header variable value with an arbitrary 'Remote-User' value by specifying the later after the former.

This has tricky implications when a proxy server is being used, namely that if the proxy passes a re-written REMOTE_USER but also the user-supplied 'Remote-User', CherryPy will actually store HTTP_REMOTE_USER as the value of the user-supplied 'Remote-User' header based on the order that the headers are processed.

cherrypy/wsgiserver/init.py:

 492 k, v = k.strip().upper(), v.strip() 
 493 envname = "HTTP_" + k.replace("-", "_")

Reported by araitz@splunk.com

Comments (4)

  1. robertofaga
    • removed component
    • removed milestone

    Robert, should REMOTE_USER be transformed in HTTP_REMOTE_USER? Why not put in the initial env with others "REMOTE_"?

  2. Log in to comment
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.