Skip to content

Commit

Permalink
Prevent header spoofing via underscore/dash conflation
Browse files Browse the repository at this point in the history 
See https://www.djangoproject.com/weblog/2015/jan/13/security/
  • Loading branch information
@jmuchemb
jmuchemb committed Jun 18, 2019
1 parent e0d83b0 commit cf1374d
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/ZServer/HTTPServer.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,7 @@ def get_environment(self, request,
value=value.strip()
if h2ehas(key) and value:
env[h2eget(key)]=value
else:
elif "_" not in key:
key='HTTP_%s' % ("_".join(key.split( "-"))).upper()
if value and not env_has(key):
env[key]=value
Expand Down

0 comments on commit cf1374d

Please sign in to comment.