Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Fixed #17869 - security improvement to RemoteUserMiddleware #134

Closed
wants to merge 3 commits into from

3 participants

Sylvain Bouchard Jannis Leidel chrismedrela
Sylvain Bouchard
  • (On behalf of Paul McMillan) this is a minor security fix so it should be backported to 1.4

Fixed #17869

  • RemoteUserMiddleware forces logout when REMOTE_USER header disappears during a same browser session.
  • Added a test, and documentation for the 1.4.1 release.
Fixed #17869 - RemoteUserMiddleware forces logout when REMOTE_USER he…
…ader

disappears during a same browser session.

Added a test, and documentation for the 1.4.1 release.
8487613
Jannis Leidel
Owner
jezdez commented June 08, 2012

The changelog entry needs to be in 1.5.txt, too.

Sylvain Bouc... added some commits June 08, 2012
Fixed #17869 - RemoteUserMiddleware forces logout when REMOTE_USER he…
…ader

disappears during a same browser session.

Added a test, and documentation for the 1.4.1 and 1.5 releases.
9dabaaa
Merge branch 'master' of github.com:bouchardsyl/django 189ed20
Sylvain Bouchard

Added changelog entry to 1.5.txt.

chrismedrela chrismedrela commented on the diff June 08, 2012
docs/releases/1.5.txt
@@ -92,6 +92,9 @@ Django 1.5 also includes several smaller improvements worth noting:
92 92
 * In the localflavor for Canada, "pq" was added to the acceptable codes for
93 93
   Quebec. It's an old abbreviation.
94 94
 
  95
+* RemoteUserMiddleware now forces logout when the REMOTE_USER header
  96
+  disappears during a same browser session.
1

I afraid during a same is incorrect. I think that during the same is the correct one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Sylvain Bouchard bouchardsyl closed this September 09, 2012
Sylvain Bouchard bouchardsyl reopened this September 09, 2012
Sylvain Bouchard bouchardsyl closed this September 09, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 3 unique commits by 1 author.

Jun 08, 2012
Fixed #17869 - RemoteUserMiddleware forces logout when REMOTE_USER he…
…ader

disappears during a same browser session.

Added a test, and documentation for the 1.4.1 release.
8487613
Fixed #17869 - RemoteUserMiddleware forces logout when REMOTE_USER he…
…ader

disappears during a same browser session.

Added a test, and documentation for the 1.4.1 and 1.5 releases.
9dabaaa
Merge branch 'master' of github.com:bouchardsyl/django 189ed20
This page is out of date. Refresh to see the latest.
2  django/contrib/auth/middleware.py
@@ -50,6 +50,8 @@ def process_request(self, request):
50 50
             # If specified header doesn't exist then return (leaving
51 51
             # request.user set to AnonymousUser by the
52 52
             # AuthenticationMiddleware).
  53
+            if request.user.is_authenticated(): 
  54
+                auth.logout(request) 
53 55
             return
54 56
         # If the user is already authenticated and that user is the user we are
55 57
         # getting passed in the headers, then the correct user is already
18  django/contrib/auth/tests/remote_user.py
@@ -2,7 +2,7 @@
2 2
 
3 3
 from django.conf import settings
4 4
 from django.contrib.auth.backends import RemoteUserBackend
5  
-from django.contrib.auth.models import User
  5
+from django.contrib.auth.models import User, AnonymousUser
6 6
 from django.test import TestCase
7 7
 from django.utils import timezone
8 8
 
@@ -95,6 +95,22 @@ def test_last_login(self):
95 95
         response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
96 96
         self.assertEqual(default_login, response.context['user'].last_login)
97 97
 
  98
+    def test_header_disappears(self):
  99
+        """
  100
+        Tests that a logged in user is logged out automatically when
  101
+        the REMOTE_USER header disappears during the same browser session.
  102
+        """
  103
+        User.objects.create(username='knownuser')
  104
+        User.objects.create(username='knownuser2')
  105
+        num_users = User.objects.count()
  106
+        # Known user authenticates
  107
+        response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
  108
+        self.assertEqual(response.context['user'].username, 'knownuser')
  109
+        self.assertEqual(User.objects.count(), num_users)
  110
+        # During the session, the REMOTE_USER header disappears. Should trigger logout.
  111
+        response = self.client.get('/remote_user/')
  112
+        self.assertEqual(type(response.context['user']), AnonymousUser)
  113
+
98 114
     def tearDown(self):
99 115
         """Restores settings to avoid breaking other tests."""
100 116
         settings.MIDDLEWARE_CLASSES = self.curr_middleware
9  docs/releases/1.4.1.txt
... ...
@@ -0,0 +1,9 @@
  1
+==========================
  2
+Django 1.4.1 release notes
  3
+==========================
  4
+
  5
+Fixed behaviour of RemoteUserMiddleware: force logout when the
  6
+REMOTE_USER header disappears during a same browser session.
  7
+
  8
+.. _bug: https://code.djangoproject.com/ticket/17869
  9
+
3  docs/releases/1.5.txt
@@ -92,6 +92,9 @@ Django 1.5 also includes several smaller improvements worth noting:
92 92
 * In the localflavor for Canada, "pq" was added to the acceptable codes for
93 93
   Quebec. It's an old abbreviation.
94 94
 
  95
+* RemoteUserMiddleware now forces logout when the REMOTE_USER header
  96
+  disappears during a same browser session.
  97
+
95 98
 Backwards incompatible changes in 1.5
96 99
 =====================================
97 100
 
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.