Commit abbd94e
committed
fix: strip client-supplied identity headers in LocalUserAuthMiddleware
Defensively remove HTTP_REMOTE_USER and HTTP_X_REMOTE_USER from the
WSGI environ before checking REMOTE_ADDR, preventing any client from
injecting identity headers that could be trusted by future code paths.1 parent 6276841 commit abbd94e
1 file changed
Lines changed: 4 additions & 0 deletions
Lines changed: 4 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
14 | 14 | | |
15 | 15 | | |
16 | 16 | | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
17 | 21 | | |
18 | 22 | | |
19 | 23 | | |
0 commit comments