[Zope] REMOTE_USER Security Issue
Jim Washington
jwashin at vt.edu
Thu May 18 11:28:47 EDT 2006
Cliff Ford wrote:
> This is just to report that this issue is resolved (for me). Tres
> Seaver kindly provided a patch for HTTPRequest.py that makes the
> environ dictionary immutable (appended below for those in a similar
> position). This may have adverse consequences for applications that
> rely on existing behaviour and Tres has recommended that it would be
> better to harden the User Folder code. In our case we might also be
> able to encrypt the remote Username. Once again, thanks to Tres and
> other list members, who are a wonderful resource.
Completely immutable environ is not a good choice from WSGI
point-of-view. environ can be useful for middleware information-passing.
-Jim Washington
More information about the Zope
mailing list