This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Alex.Raitz
Recipients Alex.Raitz
Date 2010-12-21.22:46:10
SpamBayes Score 0.00996069
Marked as misclassified No
Message-id <>
Clients can overwrite 'REMOTE_USER' header variable value with an arbitrary 'Remote-User' value by specifying the later after the former.

This has tricky implications when a proxy server is being used, namely that if the proxy passes a re-written REMOTE_USER but also the user-supplied 'Remote-User', Python WSGI will actually store HTTP_REMOTE_USER as the value of the user-supplied 'Remote-User' header based on the order that the headers are processed. 


184         for k, v in _params.items():
185             if v is None:
186                 parts.append(k.replace('_', '-'))
187             else:
188                 parts.append(_formatparam(k.replace('_', '-'), v))
Date User Action Args
2010-12-21 22:46:16Alex.Raitzsetrecipients: + Alex.Raitz
2010-12-21 22:46:16Alex.Raitzsetmessageid: <>
2010-12-21 22:46:10Alex.Raitzlinkissue10751 messages
2010-12-21 22:46:10Alex.Raitzcreate