Skip to content

Fixed #17869 - security improvement to RemoteUserMiddleware #365

Closed
wants to merge 3 commits into from

2 participants

@ghost
ghost commented Sep 9, 2012
  • RemoteUserMiddleware forces logout when REMOTE_USER header disappears during a same browser session.
  • Added a test and documentation for the 1.5 release.

Notes :

  • Target version is 1.5
  • Originally fixed during DjangoCon sprints in Zurich. I made a new commit based on today's fork (Sept 9, 2012)
  • Test with this command : ./runtests.py --settings=test_sqlite auth
  • Quoting an email from Paul McMillan : "this is a minor security fix so it should be backported to 1.4"
Sylvain Bouchard Fixed #17869
- RemoteUserMiddleware forces logout when REMOTE_USER header disappears
  during a same browser session.
- Added a test and documentation for the 1.5 release.
db90af1
@apollo13 apollo13 and 1 other commented on an outdated diff Sep 16, 2012
django/contrib/auth/tests/remote_user.py
@@ -95,6 +95,23 @@ def test_last_login(self):
response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
self.assertEqual(default_login, response.context['user'].last_login)
+ def test_header_disappears(self):
+ """
+ Tests that a logged in user is logged out automatically when
+ the REMOTE_USER header disappears during the same browser session.
+ """
+ User.objects.create(username='knownuser')
+ User.objects.create(username='knownuser2')
+ num_users = User.objects.count()
+ # Known user authenticates
+ response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
+ self.assertEqual(response.context['user'].username, 'knownuser')
+ self.assertEqual(User.objects.count(), num_users)
@apollo13
Django member
apollo13 added a note Sep 16, 2012

What's the point of this query? I don't see anything in the view which could delete users (and even then, why should it delete users…)

@ghost
ghost added a note Sep 16, 2012

Indeed. Cleaned it. See following commits, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Sylvain Bouc... and others added some commits Sep 9, 2012
Sylvain Bouchard Fixed #17869
- RemoteUserMiddleware forces logout when REMOTE_USER header disappears
  during the same browser session.
- Added a test and documentation for the 1.5 release.
8f72185
Sylvain Bouchard Merge branch 'master' of github.com:bouchardsyl/django
Conflicts:
	django/contrib/auth/tests/remote_user.py
1f9b654
@ptone
Django member
ptone commented Oct 30, 2012

merged in 9741912

@ptone ptone closed this Oct 30, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.