Author Alex.Raitz
Recipients Alex.Raitz, pje
Date 2011-01-04.17:55:27
SpamBayes Score 0.000842023
Marked as misclassified No
Message-id <1294163729.98.0.975303607741.issue10751@psf.upfronthosting.co.za>
In-reply-to
Content
Yes, I was referring to REMOTE_USER, apologies for the conflation with HTTP_REMOTE_USER, which was one of the HTTP headers that a proxy which we were testing was setting.

The customer that reported this issue to us was using FireFox with Tamper Data to set REMOTE-USER, AdNovum Nevis as the proxy, and Splunk as the server.  

For example, the following is received by the proxy in question:

Host: foobar:42000
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: session_id_4200=69e6b6e33510fa64d8b18c34aa73b4b50eff37dc
remote-user: USER-SUPPLIED
Cache-Control: max-age=0 
Connection: Keep-Alive

The proxy sends the following to the server:

Host: localhost:4200
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
REMOTE_USER: normal_user
X-Forwarded-For: 10.3.1.53
X-Forwarded-Host: foobar:42000
X-Forwarded-Server: foobar <http://foobar>
Cookie: session_id_4200=69e6b6e33510fa64d8b18c34aa73b4b50eff37dc
Authorization: Basic Z2FyZXRoOjUzMjc5 
Cache-Control: max-age=0
remote-user: USER-SUPPLIED
Connection: Keep-Alive

In this case, replacing '-' with '_' in wsgiref would overload 'remote_user=normal_user' with 'remote_user=user-supplied'.

When testing with Apache, we found that all user-supplied variables were placed above the proxy-added variables, so that overloading was not an issue.  This seems like the appropriate and expected behavior.

However, given that the customer's chosen proxy did not exhibit this behavior, and searching for a specification for proxy behavior in this situation was inconclusive, our team deemed it advisable to file this issue.

Ideally, Python wsgiref should ensure that the proxy-supplied REMOTE_USER cannot be overloaded by a user-supplied REMOTE-USER that is passed to the server after the proxy-supplied REMOTE_USER.

Please note that Splunk uses wsgiref from the CherryPy framework, but when we investigated the issue we noticed that the replacement of '-' with '_' is the same in both Python and CherryPy wsgiref.  A bug has also been filed against CherryPy.
History
Date User Action Args
2011-01-04 17:55:30Alex.Raitzsetrecipients: + Alex.Raitz, pje
2011-01-04 17:55:29Alex.Raitzsetmessageid: <1294163729.98.0.975303607741.issue10751@psf.upfronthosting.co.za>
2011-01-04 17:55:27Alex.Raitzlinkissue10751 messages
2011-01-04 17:55:27Alex.Raitzcreate