-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent header spoofing via underscore/dash conflation. #80
Conversation
The test failures don't look to be related to the changes here: more like timeouts (Travis under heavy load?) I have restarted the test run there. |
I was wrong -- this change does break Python 3.x tests: I pushed a trivial change to |
@tseaver FWIW you can just hit the refresh button on travis to re-run the tests. You do not need to commit to the repo. |
Yup, I did that for the PR run. I've got some superstition related to previous oddball experience that made me want to provoke a build with a fresh commit. |
@tseaver I've fixed the breakage under Python3 (still works under 27) - is this PR desired (can re-issue)? |
Sorry for closing -- that was a fat-fingered late-night miss. Please push your fix. |
Note that I'm not convinced that waitress is actually vulnerable here: we don't rely on I don't think it would hurt to apply this sanitization. |
@tseaver done |
This PR prevents the WSGI header attack as documented here (by dropped headers containing underscores from the request)
See https://www.djangoproject.com/weblog/2015/jan/13/security/