This PR prevents the WSGI header attack as documented here (by dropped headers containing underscores from the request)
Prevent header spoofing via underscore/dash conflation.
The test failures don't look to be related to the changes here: more like timeouts (Travis under heavy load?) I have restarted the test run there.
I was wrong -- this change does break Python 3.x tests: I pushed a trivial change to master and the tests all pass on Travis: re-starting them for this PR shows the same failures for Py3k.
@tseaver FWIW you can just hit the refresh button on travis to re-run the tests. You do not need to commit to the repo.
Yup, I did that for the PR run. I've got some superstition related to previous oddball experience that made me want to provoke a build with a fresh commit.
Fix tests Python3 breakage
@tseaver I've fixed the breakage under Python3 (still works under 27) - is this PR desired (can re-issue)?
this change fixes it.
Sorry for closing -- that was a fat-fingered late-night miss. Please push your fix.
Note that I'm not convinced that waitress is actually vulnerable here: we don't rely on X-Forwarded-For at all (in spite of what the docs say), although we do allow 'X-Forwarded-Proto' to change the scheme to one of http or https, but only if the source is configured as trusted-proxy (which should not be true for development or where waitress serves direct requests).
I don't think it would hurt to apply this sanitization.
Added myself to contributors.