From 4b59d55690556419623554b75cd1e31fbd72471c Mon Sep 17 00:00:00 2001
From: Oliver Gorwits <oliver@cpan.org>
Date: Fri, 30 Sep 2016 17:12:30 +0100
Subject: [PATCH] Improve security of REMOTE_USER handling (B. Marshall)

---
 Netdisco/Changes                       | 4 ++++
 Netdisco/lib/App/Netdisco/Web/AuthN.pm | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/Netdisco/Changes b/Netdisco/Changes
index 4599cc59..e0cb297f 100644
--- a/Netdisco/Changes
+++ b/Netdisco/Changes
@@ -5,6 +5,10 @@
   * Add systemd guide
   * Add environment variable for https reverse proxy (B. Marshall)
 
+  [BUG FIXES]
+
+  * Improve security of REMOTE_USER handling (B. Marshall)
+
 2.033006 - 2016-03-20
 
   [ENHANCEMENTS]
diff --git a/Netdisco/lib/App/Netdisco/Web/AuthN.pm b/Netdisco/lib/App/Netdisco/Web/AuthN.pm
index 022c6139..e3f63ea8 100644
--- a/Netdisco/lib/App/Netdisco/Web/AuthN.pm
+++ b/Netdisco/lib/App/Netdisco/Web/AuthN.pm
@@ -9,11 +9,15 @@ hook 'before' => sub {
       ? request->uri : uri_for('/inventory')->path);
 
     if (! session('logged_in_user') && request->path ne uri_for('/login')->path) {
-        if (setting('trust_x_remote_user') and scalar request->header('X-REMOTE_USER')) {
+        if (setting('trust_x_remote_user')
+          and scalar request->header('X-REMOTE_USER')
+          and length scalar request->header('X-REMOTE_USER')) {
             session(logged_in_user => scalar request->header('X-REMOTE_USER'));
             session(logged_in_user_realm => 'users');
         }
-        elsif (setting('trust_remote_user') and $ENV{REMOTE_USER}) {
+        elsif (setting('trust_remote_user')
+          and defined $ENV{REMOTE_USER}
+          and length  $ENV{REMOTE_USER}) {
             session(logged_in_user => $ENV{REMOTE_USER});
             session(logged_in_user_realm => 'users');
         }