Changes between Version 25 and Version 26 of SecurityTeam
- Timestamp:
- Apr 21, 2026, 11:54:26 AM (5 days ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
SecurityTeam
v25 v26 181 181 Thank you for your report. After review, we have determined that this behavior results from deploying `RemoteUserMiddleware` without a trusted upstream component responsible for authentication and header sanitization. As documented in our security policy [0], issues that arise from failing to properly handle or restrict user-controlled input are not considered security vulnerabilities in Django itself. 182 182 183 `RemoteUserMiddleware` is designed to rely on a trusted front-end server that performs authentication and sets or strips the relevant header. If Django is deployed in a configuration where clients can supply that header directly, this represents a deployment misconfiguration rather than a flaw in Django. 184 185 For ongoing discussion about improving documentation clarity around this topic, please see ticket #36862: https://code.djangoproject.com/ticket/36862 183 `RemoteUserMiddleware` is designed to rely on a trusted front-end server that performs authentication and sets or strips the relevant header. If Django is deployed in a configuration where clients can supply that header directly, this represents a deployment misconfiguration rather than a flaw in Django. See the documented security considerations [1]. 186 184 187 185 For these reasons, we are closing this report. … … 191 189 192 190 [0] https://docs.djangoproject.com/en/stable/internals/security/#user-input-must-be-sanitized 191 [1] https://docs.djangoproject.com/en/stable/howto/auth-remote-user/#configuration 193 192 194 193 === Confusion with YANGO (usually sent in Spanish) ===