Fixed #17869 - security improvement to RemoteUserMiddleware #134

Closed
wants to merge 3 commits into
from
@@ -50,6 +50,8 @@ def process_request(self, request):
# If specified header doesn't exist then return (leaving
# request.user set to AnonymousUser by the
# AuthenticationMiddleware).
+ if request.user.is_authenticated():
+ auth.logout(request)
return
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
@@ -2,7 +2,7 @@
from django.conf import settings
from django.contrib.auth.backends import RemoteUserBackend
-from django.contrib.auth.models import User
+from django.contrib.auth.models import User, AnonymousUser
from django.test import TestCase
from django.utils import timezone
@@ -95,6 +95,22 @@ def test_last_login(self):
response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
self.assertEqual(default_login, response.context['user'].last_login)
+ def test_header_disappears(self):
+ """
+ Tests that a logged in user is logged out automatically when
+ the REMOTE_USER header disappears during the same browser session.
+ """
+ User.objects.create(username='knownuser')
+ User.objects.create(username='knownuser2')
+ num_users = User.objects.count()
+ # Known user authenticates
+ response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
+ self.assertEqual(response.context['user'].username, 'knownuser')
+ self.assertEqual(User.objects.count(), num_users)
+ # During the session, the REMOTE_USER header disappears. Should trigger logout.
+ response = self.client.get('/remote_user/')
+ self.assertEqual(type(response.context['user']), AnonymousUser)
+
def tearDown(self):
"""Restores settings to avoid breaking other tests."""
settings.MIDDLEWARE_CLASSES = self.curr_middleware
@@ -0,0 +1,9 @@
+==========================
+Django 1.4.1 release notes
+==========================
+
+Fixed behaviour of RemoteUserMiddleware: force logout when the
+REMOTE_USER header disappears during a same browser session.
+
+.. _bug: https://code.djangoproject.com/ticket/17869
+
@@ -92,6 +92,9 @@ Django 1.5 also includes several smaller improvements worth noting:
* In the localflavor for Canada, "pq" was added to the acceptable codes for
Quebec. It's an old abbreviation.
+* RemoteUserMiddleware now forces logout when the REMOTE_USER header
+ disappears during a same browser session.
@chrismedrela
chrismedrela Jun 8, 2012

I afraid during a same is incorrect. I think that during the same is the correct one.

+
Backwards incompatible changes in 1.5
=====================================