Skip to content

Commit

Permalink
Prevent header spoofing via underscore/dash conflation
Browse files Browse the repository at this point in the history
  • Loading branch information
jmuchemb committed Jun 18, 2019
1 parent e0d83b0 commit d2970be
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion src/ZServer/HTTPServer.py
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,8 @@ def get_environment(self, request,
value=value.strip()
if h2ehas(key) and value:
env[h2eget(key)]=value
else:
elif "_" not in key: # Headers with underscores,
# might spoof real ones.
key='HTTP_%s' % ("_".join(key.split( "-"))).upper()
if value and not env_has(key):
env[key]=value
Expand Down

0 comments on commit d2970be

Please sign in to comment.