Changes between Version 17 and Version 18 of SecurityTeam


Ignore:
Timestamp:
Feb 27, 2026, 6:35:08 AM (3 weeks ago)
Author:
Natalia Bidart
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • SecurityTeam

    v17 v18  
    154154Hello,
    155155
    156 Thank you for your report. After review, we've determined that the reported issue only affects workflows that process user input without sanitization. As documented at [0]:
    157 
    158 "Reports based on a failure to sanitize user input are not valid security vulnerabilities. It is the developer’s responsibility to properly handle user input."
    159 
    160 If using the `Remote-User` header for authentication, it's critical that it not be allowed through clients. Whatever intermediary proxy is handling the authentication should strip out the header from all requests. Because of this, the behavior you reported is not considered a security issue within the Django project.
    161 
    162 For further details, you can review and help in  https://code.djangoproject.com/ticket/36862.
    163 
    164 Thanks for taking the time to submit it through the appropriate channel.
    165 
    166 Kind regards, the Django Security Team.
     156Thank you for your report. After review, we have determined that this behavior results from deploying `RemoteUserMiddleware` without a trusted upstream component responsible for authentication and header sanitization. As documented in our security policy [0], issues that arise from failing to properly handle or restrict user-controlled input are not considered security vulnerabilities in Django itself.
     157
     158`RemoteUserMiddleware` is designed to rely on a trusted front-end server that performs authentication and sets or strips the relevant header. If Django is deployed in a configuration where clients can supply that header directly, this represents a deployment misconfiguration rather than a flaw in Django.
     159
     160For ongoing discussion about improving documentation clarity around this topic, please see ticket #36862: https://code.djangoproject.com/ticket/36862
     161
     162For these reasons, we are closing this report.
     163
     164Kind regards,
     165The Django Security Team
    167166
    168167[0] https://docs.djangoproject.com/en/stable/internals/security/#user-input-must-be-sanitized
Back to Top