Prevent header spoofing via underscore/dash conflation.

[mgrbyte]

This PR prevents the WSGI header attack as documented here (by dropped headers containing underscores from the request)
See https://www.djangoproject.com/weblog/2015/jan/13/security/

[tseaver]

The test failures don't look to be related to the changes here: more like timeouts (Travis under heavy load?) I have restarted the test run there.

[tseaver]

I was wrong -- this change does break Python 3.x tests: I pushed a trivial change to master and the tests all pass on Travis: re-starting them for this PR shows the same failures for Py3k.

[mmerickel]

@tseaver FWIW you can just hit the refresh button on travis to re-run the tests. You do not need to commit to the repo.

[tseaver]

Yup, I did that for the PR run. I've got some superstition related to previous oddball experience that made me want to provoke a build with a fresh commit.

[mgrbyte]

@tseaver I've fixed the breakage under Python3 (still works under 27) - is this PR desired (can re-issue)?
this change fixes it.

[tseaver]

Sorry for closing -- that was a fat-fingered late-night miss. Please push your fix.

[tseaver]

Note that I'm not convinced that waitress is actually vulnerable here: we don't rely on X-Forwarded-For at all (in spite of what the docs say), although we do allow 'X-Forwarded-Proto' to change the scheme to one of http or https, but only if the source is configured as trusted-proxy (which should not be true for development or where waitress serves direct requests).

I don't think it would hurt to apply this sanitization.

[mgrbyte]

@tseaver done