Opened 3 weeks ago

Closed 3 weeks ago

#37079 closed Bug (fixed)

RemoteUserMiddleware assumes all ASGI requests will be handled by its async path

Reported by: Jacob Walls Owned by: Jacob Walls
Component: contrib.auth Version: 5.2
Severity: Normal Keywords:
Cc: Mykhailo Havelia, Sarah Boyce, Jon Janzen Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

As pointed out in a review, RemoteUserMiddleware doesn't account for the case where an ASGI request passes through (sync) process_request() due to subsequent sync-only middleware in the stack. This could cause the wrong header to be looked up.

Bug in 50f89ae850f6b4e35819fe725a08c7e579bfd099.

Change History (5)

comment:1 by Jacob Walls, 3 weeks ago

PR

comment:2 by Jacob Walls, 3 weeks ago

Summary: RemoteUserMiddleware assumes all ASGI requests will be handled by its sync pathRemoteUserMiddleware assumes all ASGI requests will be handled by its async path

comment:3 by Sarah Boyce, 3 weeks ago

Triage Stage: UnreviewedAccepted

comment:4 by Sarah Boyce, 3 weeks ago

Triage Stage: AcceptedReady for checkin

comment:5 by Jacob Walls <jacobtylerwalls@…>, 3 weeks ago

Resolution: fixed
Status: assignedclosed

In 0147222:

Fixed #37079 -- Fixed specialization of header lookups in RemoteUserMiddleware.

We need to switch on whether the request is a WSGI or ASGI request to
know whether to prepend HTTP_: we cannot assume sync exceution means
we are running under WSGI, as there could be other sync middleware
forcing sync execution under ASGI.

Thanks Mykhailo Havelia for the report.

Note: See TracTickets for help on using tickets.
Back to Top