summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatt Russell <matthew.russell@horizon5.org>2015-01-13 22:30:46 +0000
committerBert JW Regeer <bertjw@regeer.org>2016-06-24 23:00:13 -0600
commit6d4dab6bed88917b973066a6d5222917661802b7 (patch)
tree5a0255550d74dde23cdf1a524027835f38df0bea
parent631b5fc855f5930f2766286fdf0d379a5b3973d1 (diff)
downloadwaitress-6d4dab6bed88917b973066a6d5222917661802b7.tar.gz
Prevent header spoofing via underscore/dash conflation.
See https://www.djangoproject.com/weblog/2015/jan/13/security/
Diffstat
-rw-r--r--waitress/parser.py2
-rw-r--r--waitress/tests/test_parser.py17
2 files changed, 18 insertions, 1 deletions
diff --git a/waitress/parser.py b/waitress/parser.py
index 9962b83..0315967 100644
--- a/waitress/parser.py
+++ b/waitress/parser.py
@@ -182,6 +182,8 @@ class HTTPRequestParser(object):
index = line.find(b':')
if index > 0:
key = line[:index]
+ if '_' in key:
+ continue
value = line[index + 1:].strip()
key1 = tostr(key.upper().replace(b'-', b'_'))
# If a header already exists, we append subsequent values
diff --git a/waitress/tests/test_parser.py b/waitress/tests/test_parser.py
index 423d75a..781d7c7 100644
--- a/waitress/tests/test_parser.py
+++ b/waitress/tests/test_parser.py
@@ -408,9 +408,24 @@ Hello.
self.assertEqual(self.parser.headers, {
'CONTENT_LENGTH': '7',
'X_FORWARDED_FOR':
- '10.11.12.13, unknown,127.0.0.1, 255.255.255.255',
+ '10.11.12.13, unknown,127.0.0.1',
})
+ def testSpoofedHeadersDropped(self):
+ data = b"""\
+GET /foobar HTTP/8.4
+x-auth_user: bob
+content-length: 7
+
+Hello.
+"""
+ self.feed(data)
+ self.assertTrue(self.parser.completed)
+ self.assertEqual(self.parser.headers, {
+ 'CONTENT_LENGTH': '7',
+ })
+
+
class DummyBodyStream(object):
def getfile(self):
View Lorry Controller Status