Message124466
Clients can overwrite 'REMOTE_USER' header variable value with an arbitrary 'Remote-User' value by specifying the later after the former.
This has tricky implications when a proxy server is being used, namely that if the proxy passes a re-written REMOTE_USER but also the user-supplied 'Remote-User', Python WSGI will actually store HTTP_REMOTE_USER as the value of the user-supplied 'Remote-User' header based on the order that the headers are processed.
./python2.6/wsgiref/headers.py:
184 for k, v in _params.items():
185 if v is None:
186 parts.append(k.replace('_', '-'))
187 else:
188 parts.append(_formatparam(k.replace('_', '-'), v)) |
|
Date |
User |
Action |
Args |
2010-12-21 22:46:16 | Alex.Raitz | set | recipients:
+ Alex.Raitz |
2010-12-21 22:46:16 | Alex.Raitz | set | messageid: <1292971576.27.0.760159303747.issue10751@psf.upfronthosting.co.za> |
2010-12-21 22:46:10 | Alex.Raitz | link | issue10751 messages |
2010-12-21 22:46:10 | Alex.Raitz | create | |
|