diff options
author | Matt Russell <matthew.russell@horizon5.org> | 2015-01-13 22:30:46 +0000 |
---|---|---|
committer | Bert JW Regeer <bertjw@regeer.org> | 2016-06-24 23:00:13 -0600 |
commit | 6d4dab6bed88917b973066a6d5222917661802b7 (patch) | |
tree | 5a0255550d74dde23cdf1a524027835f38df0bea | |
parent | 631b5fc855f5930f2766286fdf0d379a5b3973d1 (diff) | |
download | waitress-6d4dab6bed88917b973066a6d5222917661802b7.tar.gz |
Prevent header spoofing via underscore/dash conflation.
See https://www.djangoproject.com/weblog/2015/jan/13/security/
-rw-r--r-- | waitress/parser.py | 2 | ||||
-rw-r--r-- | waitress/tests/test_parser.py | 17 |
2 files changed, 18 insertions, 1 deletions
diff --git a/waitress/parser.py b/waitress/parser.py index 9962b83..0315967 100644 --- a/waitress/parser.py +++ b/waitress/parser.py @@ -182,6 +182,8 @@ class HTTPRequestParser(object): index = line.find(b':') if index > 0: key = line[:index] + if '_' in key: + continue value = line[index + 1:].strip() key1 = tostr(key.upper().replace(b'-', b'_')) # If a header already exists, we append subsequent values diff --git a/waitress/tests/test_parser.py b/waitress/tests/test_parser.py index 423d75a..781d7c7 100644 --- a/waitress/tests/test_parser.py +++ b/waitress/tests/test_parser.py @@ -408,9 +408,24 @@ Hello. self.assertEqual(self.parser.headers, { 'CONTENT_LENGTH': '7', 'X_FORWARDED_FOR': - '10.11.12.13, unknown,127.0.0.1, 255.255.255.255', + '10.11.12.13, unknown,127.0.0.1', }) + def testSpoofedHeadersDropped(self): + data = b"""\ +GET /foobar HTTP/8.4 +x-auth_user: bob +content-length: 7 + +Hello. +""" + self.feed(data) + self.assertTrue(self.parser.completed) + self.assertEqual(self.parser.headers, { + 'CONTENT_LENGTH': '7', + }) + + class DummyBodyStream(object): def getfile(self): |