Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Fixed #17869 - security improvement to RemoteUserMiddleware #365

Closed
wants to merge 3 commits into from

3 participants

Sylvain Bouchard Preston Holmes Florian Apolloner
Sylvain Bouchard
  • RemoteUserMiddleware forces logout when REMOTE_USER header disappears during a same browser session.
  • Added a test and documentation for the 1.5 release.

Notes :

  • Target version is 1.5
  • Originally fixed during DjangoCon sprints in Zurich. I made a new commit based on today's fork (Sept 9, 2012)
  • Test with this command : ./runtests.py --settings=test_sqlite auth
  • Quoting an email from Paul McMillan : "this is a minor security fix so it should be backported to 1.4"
Sylvain Bouchard Fixed #17869
- RemoteUserMiddleware forces logout when REMOTE_USER header disappears
  during a same browser session.
- Added a test and documentation for the 1.5 release.
db90af1
django/contrib/auth/tests/remote_user.py
@@ -95,6 +95,23 @@ def test_last_login(self):
95 95
         response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
96 96
         self.assertEqual(default_login, response.context['user'].last_login)
97 97
 
  98
+    def test_header_disappears(self):
  99
+        """
  100
+        Tests that a logged in user is logged out automatically when
  101
+        the REMOTE_USER header disappears during the same browser session.
  102
+        """
  103
+        User.objects.create(username='knownuser')
  104
+        User.objects.create(username='knownuser2')
  105
+        num_users = User.objects.count()
  106
+        # Known user authenticates
  107
+        response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
  108
+        self.assertEqual(response.context['user'].username, 'knownuser')
  109
+        self.assertEqual(User.objects.count(), num_users)
2
Florian Apolloner Owner

What's the point of this query? I don't see anything in the view which could delete users (and even then, why should it delete users…)

Indeed. Cleaned it. See following commits, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
and others added some commits September 09, 2012
Sylvain Bouchard Fixed #17869
- RemoteUserMiddleware forces logout when REMOTE_USER header disappears
  during the same browser session.
- Added a test and documentation for the 1.5 release.
8f72185
Merge branch 'master' of github.com:bouchardsyl/django
Conflicts:
	django/contrib/auth/tests/remote_user.py
1f9b654
Preston Holmes
Owner

merged in 9741912

Preston Holmes ptone closed this October 29, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 3 unique commits by 2 authors.

Sep 09, 2012
Sylvain Bouchard Fixed #17869
- RemoteUserMiddleware forces logout when REMOTE_USER header disappears
  during a same browser session.
- Added a test and documentation for the 1.5 release.
db90af1
Sep 16, 2012
Sylvain Bouchard Fixed #17869
- RemoteUserMiddleware forces logout when REMOTE_USER header disappears
  during the same browser session.
- Added a test and documentation for the 1.5 release.
8f72185
Merge branch 'master' of github.com:bouchardsyl/django
Conflicts:
	django/contrib/auth/tests/remote_user.py
1f9b654
This page is out of date. Refresh to see the latest.
2  django/contrib/auth/middleware.py
@@ -50,6 +50,8 @@ def process_request(self, request):
50 50
             # If specified header doesn't exist then return (leaving
51 51
             # request.user set to AnonymousUser by the
52 52
             # AuthenticationMiddleware).
  53
+            if request.user.is_authenticated(): 
  54
+                auth.logout(request) 
53 55
             return
54 56
         # If the user is already authenticated and that user is the user we are
55 57
         # getting passed in the headers, then the correct user is already
15  django/contrib/auth/tests/remote_user.py
@@ -2,7 +2,7 @@
2 2
 
3 3
 from django.conf import settings
4 4
 from django.contrib.auth.backends import RemoteUserBackend
5  
-from django.contrib.auth.models import User
  5
+from django.contrib.auth.models import User, AnonymousUser
6 6
 from django.test import TestCase
7 7
 from django.utils import timezone
8 8
 
@@ -95,6 +95,19 @@ def test_last_login(self):
95 95
         response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
96 96
         self.assertEqual(default_login, response.context['user'].last_login)
97 97
 
  98
+    def test_header_disappears(self):
  99
+        """
  100
+        Tests that a logged in user is logged out automatically when
  101
+        the REMOTE_USER header disappears during the same browser session.
  102
+        """
  103
+        User.objects.create(username='knownuser')
  104
+        # Known user authenticates
  105
+        response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
  106
+        self.assertEqual(response.context['user'].username, 'knownuser')
  107
+        # During the session, the REMOTE_USER header disappears. Should trigger logout.
  108
+        response = self.client.get('/remote_user/')
  109
+        self.assertEqual(type(response.context['user']), AnonymousUser)
  110
+
98 111
     def tearDown(self):
99 112
         """Restores settings to avoid breaking other tests."""
100 113
         settings.MIDDLEWARE_CLASSES = self.curr_middleware
3  docs/releases/1.5.txt
@@ -127,6 +127,9 @@ Django 1.5 also includes several smaller improvements worth noting:
127 127
   configuration duplication. More information can be found in the
128 128
   :func:`~django.contrib.auth.decorators.login_required` documentation.
129 129
 
  130
+* RemoteUserMiddleware now forces logout when the REMOTE_USER header
  131
+  disappears during the same browser session.
  132
+
130 133
 Backwards incompatible changes in 1.5
131 134
 =====================================
132 135
 
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.