https://review.openstack.org/#/c/14823/
There are a lot of features that come with running in HTTPD. The above
patch is essential to HTTPD support, specificially for Keystone.
There has been some discussion about disabling REMOTE_USER via a config file
option by default, but I think that is neither necessary nor sufficient. If
using container based authentication has a security issue, we should be
aware of it up front. If it is not, a config file will just frustrate
people trying to set up remote authentication. REMOTE_USER should become
the default method of authentication in the future anyway, as it is the
direct tie in with the HTTP spec. Using Kerberos or PKI is dependant on
this change. As such, it should be improving security, not lessening it.
As far as I have found, there is no way that a malicious user can affect the
env var dictionary to falsely inject REMOTE_USER.
All headers that get set and passed in get modified such that they end up in
the environment with 'HTTP_ ' prepended
Args passed to GET and post URLS, as well as cookies, go into internal
collections, and do not show up in the top level dictionary.
--
Mailing list: https://launchpad.net/~openstack-ossg
Post to : openstack-ossg@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack-ossg
More help : https://help.launchpad.net/ListHelp