Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Fixed #17869 - security improvement to RemoteUserMiddleware #365

Closed
wants to merge 3 commits into from

3 participants

Sylvain Bouchard Preston Holmes Florian Apolloner
Sylvain Bouchard
  • RemoteUserMiddleware forces logout when REMOTE_USER header disappears during a same browser session.
  • Added a test and documentation for the 1.5 release.

Notes :

  • Target version is 1.5
  • Originally fixed during DjangoCon sprints in Zurich. I made a new commit based on today's fork (Sept 9, 2012)
  • Test with this command : ./runtests.py --settings=test_sqlite auth
  • Quoting an email from Paul McMillan : "this is a minor security fix so it should be backported to 1.4"
Sylvain Bouchard bouchardsyl Fixed #17869
- RemoteUserMiddleware forces logout when REMOTE_USER header disappears
  during a same browser session.
- Added a test and documentation for the 1.5 release.
db90af1
django/contrib/auth/tests/remote_user.py
@@ -95,6 +95,23 @@ def test_last_login(self):
response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
self.assertEqual(default_login, response.context['user'].last_login)
+ def test_header_disappears(self):
+ """
+ Tests that a logged in user is logged out automatically when
+ the REMOTE_USER header disappears during the same browser session.
+ """
+ User.objects.create(username='knownuser')
+ User.objects.create(username='knownuser2')
+ num_users = User.objects.count()
+ # Known user authenticates
+ response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
+ self.assertEqual(response.context['user'].username, 'knownuser')
+ self.assertEqual(User.objects.count(), num_users)
Florian Apolloner Owner

What's the point of this query? I don't see anything in the view which could delete users (and even then, why should it delete users…)

Indeed. Cleaned it. See following commits, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
bouchardsyl and others added some commits
Sylvain Bouchard bouchardsyl Fixed #17869
- RemoteUserMiddleware forces logout when REMOTE_USER header disappears
  during the same browser session.
- Added a test and documentation for the 1.5 release.
8f72185
Sylvain Bouchard Merge branch 'master' of github.com:bouchardsyl/django
Conflicts:
	django/contrib/auth/tests/remote_user.py
1f9b654
Preston Holmes
Collaborator

merged in 9741912

Preston Holmes ptone closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Sep 9, 2012
  1. Sylvain Bouchard

    Fixed #17869

    bouchardsyl authored Sylvain Bouchard committed
    - RemoteUserMiddleware forces logout when REMOTE_USER header disappears
      during a same browser session.
    - Added a test and documentation for the 1.5 release.
Commits on Sep 16, 2012
  1. Sylvain Bouchard

    Fixed #17869

    bouchardsyl authored Sylvain Bouchard committed
    - RemoteUserMiddleware forces logout when REMOTE_USER header disappears
      during the same browser session.
    - Added a test and documentation for the 1.5 release.
  2. Merge branch 'master' of github.com:bouchardsyl/django

    Sylvain Bouchard authored
    Conflicts:
    	django/contrib/auth/tests/remote_user.py
This page is out of date. Refresh to see the latest.
2  django/contrib/auth/middleware.py
View
@@ -50,6 +50,8 @@ def process_request(self, request):
# If specified header doesn't exist then return (leaving
# request.user set to AnonymousUser by the
# AuthenticationMiddleware).
+ if request.user.is_authenticated():
+ auth.logout(request)
return
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
15 django/contrib/auth/tests/remote_user.py
View
@@ -2,7 +2,7 @@
from django.conf import settings
from django.contrib.auth.backends import RemoteUserBackend
-from django.contrib.auth.models import User
+from django.contrib.auth.models import User, AnonymousUser
from django.test import TestCase
from django.utils import timezone
@@ -95,6 +95,19 @@ def test_last_login(self):
response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
self.assertEqual(default_login, response.context['user'].last_login)
+ def test_header_disappears(self):
+ """
+ Tests that a logged in user is logged out automatically when
+ the REMOTE_USER header disappears during the same browser session.
+ """
+ User.objects.create(username='knownuser')
+ # Known user authenticates
+ response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
+ self.assertEqual(response.context['user'].username, 'knownuser')
+ # During the session, the REMOTE_USER header disappears. Should trigger logout.
+ response = self.client.get('/remote_user/')
+ self.assertEqual(type(response.context['user']), AnonymousUser)
+
def tearDown(self):
"""Restores settings to avoid breaking other tests."""
settings.MIDDLEWARE_CLASSES = self.curr_middleware
3  docs/releases/1.5.txt
View
@@ -127,6 +127,9 @@ Django 1.5 also includes several smaller improvements worth noting:
configuration duplication. More information can be found in the
:func:`~django.contrib.auth.decorators.login_required` documentation.
+* RemoteUserMiddleware now forces logout when the REMOTE_USER header
+ disappears during the same browser session.
+
Backwards incompatible changes in 1.5
=====================================
Something went wrong with that request. Please try again.