Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed #17869 - security improvement to RemoteUserMiddleware #365

Closed
wants to merge 3 commits into from
Closed

Fixed #17869 - security improvement to RemoteUserMiddleware #365

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
db90af1
Fixed #17869
Sep 9, 2012
8f72185
Fixed #17869
Sep 9, 2012
1f9b654
Merge branch 'master' of github.com:bouchardsyl/django
Sep 16, 2012
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions django/contrib/auth/middleware.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ def process_request(self, request):
# If specified header doesn't exist then return (leaving
# request.user set to AnonymousUser by the
# AuthenticationMiddleware).
if request.user.is_authenticated():
auth.logout(request)
return
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
Expand Down
15 changes: 14 additions & 1 deletion django/contrib/auth/tests/remote_user.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

from django.conf import settings
from django.contrib.auth.backends import RemoteUserBackend
from django.contrib.auth.models import User
from django.contrib.auth.models import User, AnonymousUser
from django.test import TestCase
from django.utils import timezone

Expand Down Expand Up @@ -95,6 +95,19 @@ def test_last_login(self):
response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
self.assertEqual(default_login, response.context['user'].last_login)

def test_header_disappears(self):
"""
Tests that a logged in user is logged out automatically when
the REMOTE_USER header disappears during the same browser session.
"""
User.objects.create(username='knownuser')
# Known user authenticates
response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
self.assertEqual(response.context['user'].username, 'knownuser')
# During the session, the REMOTE_USER header disappears. Should trigger logout.
response = self.client.get('/remote_user/')
self.assertEqual(type(response.context['user']), AnonymousUser)

def tearDown(self):
"""Restores settings to avoid breaking other tests."""
settings.MIDDLEWARE_CLASSES = self.curr_middleware
Expand Down
3 changes: 3 additions & 0 deletions docs/releases/1.5.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,9 @@ Django 1.5 also includes several smaller improvements worth noting:
configuration duplication. More information can be found in the
:func:`~django.contrib.auth.decorators.login_required` documentation.

* RemoteUserMiddleware now forces logout when the REMOTE_USER header
disappears during the same browser session.

Backwards incompatible changes in 1.5
=====================================

Expand Down