Opened 12 months ago

Closed 11 months ago

Last modified 11 months ago

#23066 closed Bug (fixed)

Already logged-in user remains logged in when RemoteUser authentication of new user fails

Reported by: david.greisen@… Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords: remoteUserBackend RemoteUserMiddleware
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Currently, when remoteUserBackend fails to authenticate the
username passed in the header, and create_unknown_user==False,
RemoteUserMiddleware does nothing. Thus, if a different user
was logged in, that user will remain logged in despite the failed
attempt to log in a new user.

This is a security issue.

https://github.com/django/django/pull/2936 fixes this problem
by logging out the request if the user returned
by the middleware is None (a failed login attempt).

Change History (7)

comment:1 Changed 12 months ago by timo

  • Easy pickings unset
  • Has patch set
  • Needs documentation unset
  • Needs tests set
  • Patch needs improvement unset

If this is a security issue that can be exploited by an attacker, please report the details privately. If this is simply security hardening, then it's fine to post more details here.

As far as I can tell, Django's normal authentication doesn't implement the protocol of logging out an existing user after a failed login attempt. Could you elaborate (to the security@ alias if necessary) on why RemoteUserMiddleware needs to do so? Thanks.

(to be merged, the patch would also need a test)

comment:2 Changed 11 months ago by timo

  • Triage Stage changed from Unreviewed to Accepted

comment:3 Changed 11 months ago by Tim Graham <timograham@…>

  • Resolution set to fixed
  • Status changed from new to closed

In 0268b855f9eab3377f2821164ef3e66037789e09:

[1.6.x] Fixed #23066 -- Modified RemoteUserMiddleware to logout on REMOTE_USE change.

This is a security fix. Disclosure following shortly.

comment:4 Changed 11 months ago by Tim Graham <timograham@…>

In 5307ce565fbedb9cc27cbe7c757b41a00438d37c:

Fixed #23066 -- Modified RemoteUserMiddleware to logout on REMOTE_USER change.

This is a security fix. Disclosure following shortly.

comment:5 Changed 11 months ago by Tim Graham <timograham@…>

In c9e3b9949cd55f090591fbdc4a114fcb8368b6d9:

[1.4.x] Fixed #23066 -- Modified RemoteUserMiddleware to logout on REMOTE_USE change.

This is a security fix. Disclosure following shortly.

comment:6 Changed 11 months ago by Tim Graham <timograham@…>

In dd68f319b365f6cb38c5a6c106faf4f6142d7d88:

[1.5.x] Fixed #23066 -- Modified RemoteUserMiddleware to logout on REMOTE_USE change.

This is a security fix. Disclosure following shortly.

comment:7 Changed 11 months ago by Tim Graham <timograham@…>

In 1a45d059c70385fcd6f4a3955f3b4e4cc96d0150:

[1.7.x] Fixed #23066 -- Modified RemoteUserMiddleware to logout on REMOTE_USER change.

This is a security fix. Disclosure following shortly.

Note: See TracTickets for help on using tickets.
Back to Top