Skip to content

Commit abbd94e

Browse files
committed
fix: strip client-supplied identity headers in LocalUserAuthMiddleware
Defensively remove HTTP_REMOTE_USER and HTTP_X_REMOTE_USER from the WSGI environ before checking REMOTE_ADDR, preventing any client from injecting identity headers that could be trusted by future code paths.
1 parent 6276841 commit abbd94e

1 file changed

Lines changed: 4 additions & 0 deletions

File tree

src/promptflow-devkit/promptflow/_sdk/_service/utils/local_user_auth.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,10 @@ def __init__(self, wsgi_app):
1414
self._wsgi_app = wsgi_app
1515

1616
def __call__(self, environ, start_response):
17+
# Strip any client-supplied identity headers to prevent spoofing.
18+
environ.pop("HTTP_REMOTE_USER", None)
19+
environ.pop("HTTP_X_REMOTE_USER", None)
20+
1721
if environ.get("REMOTE_ADDR") in _LOOPBACK_REMOTE_ADDRS:
1822
environ["REMOTE_USER"] = getpass.getuser()
1923
return self._wsgi_app(environ, start_response)

0 commit comments

Comments
 (0)