diff options
| author | Bert JW Regeer <xistence@0x58.com> | 2016-06-24 23:19:28 -0600 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-06-24 23:19:28 -0600 |
| commit | 7f4e0f7b9c14aba74dd1da7a030072d79ca99b6b (patch) | |
| tree | 71cf0bb1e90a9f6fd70f61917af65ab340952b87 | |
| parent | 631b5fc855f5930f2766286fdf0d379a5b3973d1 (diff) | |
| parent | eb10e2867444857bfed6535f37351e77ecdf5b9c (diff) | |
| download | waitress-7f4e0f7b9c14aba74dd1da7a030072d79ca99b6b.tar.gz | |
Merge pull request #129 from Pylons/security/sanitize_headers
Security: sanitize headers
| -rw-r--r-- | CHANGES.txt | 9 | ||||
| -rw-r--r-- | CONTRIBUTORS.txt | 3 | ||||
| -rw-r--r-- | waitress/parser.py | 2 | ||||
| -rw-r--r-- | waitress/tests/test_parser.py | 17 |
4 files changed, 30 insertions, 1 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index 7a16e9d..c7a9988 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -19,3 +19,12 @@ Features from waitress import serve serve(wsgiapp, listen='0.0.0.0:8080 [::]:9090 *:6543') + +Security +~~~~~~~~ + +- Waitress will now drop HTTP headers that contain an underscore in the key + when received from a client. This is to stop any possible underscore/dash + conflation that may lead to security issues. See + https://github.com/Pylons/waitress/pull/80 and + https://www.djangoproject.com/weblog/2015/jan/13/security/ diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt index dfefb8f..a53e15d 100644 --- a/CONTRIBUTORS.txt +++ b/CONTRIBUTORS.txt @@ -121,6 +121,8 @@ Contributors - Adam Groszer, 2013/08/15 +- Matt Russell, 2015/01/14 + - David Glick, 2015/04/13 - Shane Hathaway, 2015-04-20 @@ -134,3 +136,4 @@ Contributors - Yu Zhou, 2015-09-24 - Jason Madden, 2016-03-19 + diff --git a/waitress/parser.py b/waitress/parser.py index 9962b83..fc71d68 100644 --- a/waitress/parser.py +++ b/waitress/parser.py @@ -182,6 +182,8 @@ class HTTPRequestParser(object): index = line.find(b':') if index > 0: key = line[:index] + if b'_' in key: + continue value = line[index + 1:].strip() key1 = tostr(key.upper().replace(b'-', b'_')) # If a header already exists, we append subsequent values diff --git a/waitress/tests/test_parser.py b/waitress/tests/test_parser.py index 423d75a..781d7c7 100644 --- a/waitress/tests/test_parser.py +++ b/waitress/tests/test_parser.py @@ -408,9 +408,24 @@ Hello. self.assertEqual(self.parser.headers, { 'CONTENT_LENGTH': '7', 'X_FORWARDED_FOR': - '10.11.12.13, unknown,127.0.0.1, 255.255.255.255', + '10.11.12.13, unknown,127.0.0.1', }) + def testSpoofedHeadersDropped(self): + data = b"""\ +GET /foobar HTTP/8.4 +x-auth_user: bob +content-length: 7 + +Hello. +""" + self.feed(data) + self.assertTrue(self.parser.completed) + self.assertEqual(self.parser.headers, { + 'CONTENT_LENGTH': '7', + }) + + class DummyBodyStream(object): def getfile(self): |