| | 152 | === RemoteUserMiddleware and ASGI === |
| | 153 | |
| | 154 | Hello, |
| | 155 | |
| | 156 | Thank you for your report. After review, we've determined that the reported issue only affects workflows that process user input without sanitization. As documented at [0]: |
| | 157 | |
| | 158 | "Reports based on a failure to sanitize user input are not valid security vulnerabilities. It is the developer’s responsibility to properly handle user input." |
| | 159 | |
| | 160 | If using the `Remote-User` header for authentication, it's critical that it not be allowed through clients. Whatever intermediary proxy is handling the authentication should strip out the header from all requests. Because of this, the behavior you reported is not considered a security issue within the Django project. |
| | 161 | |
| | 162 | For further details, you can review and help in https://code.djangoproject.com/ticket/36862. |
| | 163 | |
| | 164 | Thanks for taking the time to submit it through the appropriate channel. |
| | 165 | |
| | 166 | Kind regards, the Django Security Team. |
| | 167 | |
| | 168 | [0] https://docs.djangoproject.com/en/stable/internals/security/#user-input-must-be-sanitized |
| | 169 | |