Debian Bug report logs - #663230
With RemoteUserMiddleware, users keep being logged in after web server stops sending REMOTE_USER headers

version graph

Package: python-django; Maintainer for python-django is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>; Source for python-django is src:python-django.

Reported by: Enrico Zini <enrico@debian.org>

Date: Fri, 9 Mar 2012 17:09:01 UTC

Severity: normal

Found in version python-django/1.3.1-4

Fixed in version python-django/1.5-1

Done: Luke Faraone <lfaraone@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://code.djangoproject.com/ticket/17869

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#663230; Package python-django. (Fri, 09 Mar 2012 17:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Enrico Zini <enrico@debian.org>:
New Bug report received and forwarded. Copy sent to Chris Lamb <lamby@debian.org>. (Fri, 09 Mar 2012 17:09:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: With RemoteUserMiddleware, users keep being logged in after web server stops sending REMOTE_USER headers
Date: Fri, 09 Mar 2012 18:07:23 +0100
Package: python-django
Version: 1.3.1-4
Severity: normal

Hello,

thank you for maintaining Django. This was reproduced on
1.2.3-3+squeeze2 but the RemoteUserMiddleware code seems to be the same
as the 1.3.1-4 in my development machine.

RemoteUserMiddleware relies on a REMOTE_USER variable to be set by the
web server with the current user name, so far so good. However it does
not log a person out if the variable disappears during the same browser
session.

That may never happen with the usual browsers and auth, but it does
happen for other setups like DACS that have a logout feature button.

The error is in this bit of django.contrib.auth.middleware.RemoteUserMiddleware:

        try:
            username = request.META[self.header]
        except KeyError:
            # If specified header doesn't exist then return (leaving
            # request.user set to AnonymousUser by the
            # AuthenticationMiddleware).
            return

The except side assumes that if there is no request.META[self.header],
then the user is the anonymous one.

Since I found that it is not always the case, I fixed it adding a simple
"auth.logout(request)" before returning:

        try:
            username = request.META[self.header]
        except KeyError:
            # If specified header doesn't exist then return (leaving
            # request.user set to AnonymousUser by the
            # AuthenticationMiddleware).

	    # Make sure that if the server did not send any headers,
	    # then we are actually logged out
            auth.logout(request)
            return

That one line change made nm.debian.org logout properly under DACS.


Ciao,

Enrico


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-django depends on:
ii  python     2.7.2-10
ii  python2.6  2.6.7-4
ii  python2.7  2.7.2-8

Versions of packages python-django recommends:
ii  libjs-jquery  1.7.1-1

Versions of packages python-django suggests:
ii  geoip-database-contrib  <none>
ii  python-flup             <none>
ii  python-mysqldb          1.2.3-1
ii  python-psycopg          <none>
ii  python-psycopg2         2.4.4-3
ii  python-sqlite           1.0.1-9
ii  python-yaml             3.10-2

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#663230; Package python-django. (Sun, 11 Mar 2012 20:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. (Sun, 11 Mar 2012 20:15:05 GMT) Full text and rfc822 format available.

Message #10 received at 663230@bugs.debian.org (full text, mbox):

From: Chris Lamb <lamby@debian.org>
To: Enrico Zini <enrico@debian.org>, 663230@bugs.debian.org
Subject: Re: Bug#663230: With RemoteUserMiddleware, users keep being logged in after web server stops sending REMOTE_USER headers
Date: Sun, 11 Mar 2012 20:12:11 +0000
Enrico Zini wrote:

> However it does not log a person out if the variable disappears during the
> same browser session.

Thanks. I don't think this is a well-exercised part of Django. Regardless,
I've forwarded this to:

  https://code.djangoproject.com/ticket/17869

I've added my comments about a general fix there too.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org
       `-




Set Bug forwarded-to-address to 'https://code.djangoproject.com/ticket/17869'. Request was from Raphaël Hertzog <hertzog@debian.org> to control@bugs.debian.org. (Sat, 31 Mar 2012 13:18:13 GMT) Full text and rfc822 format available.

Reply sent to Luke Faraone <lfaraone@debian.org>:
You have taken responsibility. (Mon, 25 Mar 2013 21:36:12 GMT) Full text and rfc822 format available.

Notification sent to Enrico Zini <enrico@debian.org>:
Bug acknowledged by developer. (Mon, 25 Mar 2013 21:36:12 GMT) Full text and rfc822 format available.

Message #17 received at 663230-close@bugs.debian.org (full text, mbox):

From: Luke Faraone <lfaraone@debian.org>
To: 663230-close@bugs.debian.org
Subject: Bug#663230: fixed in python-django 1.5-1
Date: Mon, 25 Mar 2013 21:33:08 +0000
Source: python-django
Source-Version: 1.5-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 663230@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luke Faraone <lfaraone@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 22 Mar 2013 17:52:30 -0400
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.5-1
Distribution: experimental
Urgency: low
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Luke Faraone <lfaraone@debian.org>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Closes: 436983 646634 663230
Changes: 
 python-django (1.5-1) experimental; urgency=low
 .
   * New upstream release. Closes: #646634, #663230, #436983
Checksums-Sha1: 
 3b7a6161f564c4984536e192cbad9c9434f92d34 2178 python-django_1.5-1.dsc
 358dce7db72904c334e3d7ce7eaa0e27a22cfa16 8007045 python-django_1.5.orig.tar.gz
 ce3b8422c82aedcc13d660308ecdbeec375fcd55 20005 python-django_1.5-1.debian.tar.gz
 7036cf4045864d22623ff6122814d430dc552262 5639862 python-django_1.5-1_all.deb
 3a571388026cbb2c358c1e16116944cb256d51db 2556196 python-django-doc_1.5-1_all.deb
Checksums-Sha256: 
 ec11dae21030c3da964a1257a7f4c7867caef658d349b3bdda0e1b67a5f73f3d 2178 python-django_1.5-1.dsc
 078bf8f8ab025ed79e41ed5cee145a64dffea638eb5c2928c8cd106720824416 8007045 python-django_1.5.orig.tar.gz
 c3b64853cfd88a5566567397ff36c6c68de8ca47aa1d54d00765993733c4a201 20005 python-django_1.5-1.debian.tar.gz
 a5d41b8271b2451e55141ca3abe5ef2da5546df2aa669fef0b598855880f15d3 5639862 python-django_1.5-1_all.deb
 116f52d92f502aab6b04c3f2531c9e575bf7ca992dd083ea7b6221837b089624 2556196 python-django-doc_1.5-1_all.deb
Files: 
 ce61bbbec6957cb23f9aaebf1a6e52be 2178 python optional python-django_1.5-1.dsc
 fac09e1e0f11bb83bb187d652a9be967 8007045 python optional python-django_1.5.orig.tar.gz
 cc76374f104b8a4be921d29e1e79e492 20005 python optional python-django_1.5-1.debian.tar.gz
 34a6999cea940ddc4a9c8a4702592369 5639862 python optional python-django_1.5-1_all.deb
 00289916a2e85dd909a852b619f86de6 2556196 doc optional python-django-doc_1.5-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJRULy2AAoJEJcyXdj5/dUGQogQALQ6sKXIxA4Z2FKf72EEjap7
skUAeptCOUtw/c1qt3ysKFo3c+BrYLUbK6d/0nWwvyNtwsaaL4LUc/QEKCZ17dXH
qUIyNdAOVXMU3fCwgLePMgS+72kKAOzoVACUY0MIWAsxHDa3YbuPIeFPjPUzxa+l
pMKY2gveCS9DV2C6iSHtrdrJuQmsCoxfyMCBFgUzLmxHqqyqhn0NJSv009mTKqcJ
YWRGXVg3lISctBv9ZCKCuj/zKP7rhFtUJSZFYma7geznvGnCxxkIZm4wfBuyBjPx
HNLQFmdg3xLP2LrQaGg11TU6T2Vh52KK2w6RW2vGmWBjiqQ4BUks1ZWfZs2amAQx
9eDVWFndBeX1Wtm3J8Gkv8R3opKJlShWbtV1nSeeIGX4WT8YD/kAWgp/rytM3d8p
o7l12IYYgCz/6A02Tj/w66N3UG4uPv/4LTc2mx/gA1GpCsXsJ9ih/eO8ef7mCGnU
cPQ66LN4XZKCXsxHMz5X5InDkJpoc4zzaLcPXpaSyYMN1WhQTd9hbZyhZRAwIWm5
5J2lhklwQ/EnO7XIDJYwPAsIWKGJ/xTxF/IgtDdvijtnt2JqkVPSp4Dfd8Y7utBS
RbhdUjuVoQ03UM3fdi2zgzZjy1Biyg75e9ac00egrCV9rBCd3hL43YO8Pw7DbX5a
BkrX14PqAZtFQfuCG1s6
=BISM
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 27 Jun 2013 07:28:56 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 11:56:06 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.