A security vulnerability was recently discovered by Björn Grüning with Galaxy's "user impersonation" feature that can expose an administrator's active history to users whom they impersonate. Only Galaxy instances with `allow_user_impersonation = True` set in their configurations are affected, and only if an administrator makes use of the impersonation feature. By default, user impersonation is disabled.
A fix (id: 9d42f1e32efb) has been provided in the stable branch of Galaxy. To apply the fix, ensure you are on the stable branch and upgrade to the latest changeset:
% hg branch stable
% hg pull -u
For Galaxy installations on relatively old versions that administrators are not yet ready to upgrade, there are three workarounds. First, the patch can be downloaded and applied manually:
% wget -o security.patch https://bitbucket.org/galaxy/galaxy-central/commits/9d42f1e32efb654fda1e011d...
% hg patch security.patch
% patch -p1 < security.patch
Second, the impersonation feature can be disabled by setting the following option in Galaxy's configuration file:
allow_user_impersonation = False
In all of the above cases, the Galaxy server process(es) must be restarted for the change to take effect.
Third, the feature can be left enabled and unpatched, and the vulnerability can be worked around by educating administrators who use the feature. As long as a new history is created by the administrator prior to switching to the impersonated user, no data will be exposed to the impersonated user.
--nate Galaxy Team