drop header keys with underscores #959
Conversation
|
Thank you @kevin-mizu |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #959 +/- ##
=====================================
- Coverage 56% 56% -1%
=====================================
Files 89 89
Lines 9767 9773 +6
Branches 1819 1821 +2
=====================================
- Hits 5485 5483 -2
- Misses 3913 3919 +6
- Partials 369 371 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
eventlet/wsgi.py
Outdated
| @@ -748,6 +748,9 @@ def get_environ(self): | |||
|
|
|||
| env['headers_raw'] = headers_raw = tuple((k, v.strip(' \t\n\r')) for k, v in headers) | |||
| for k, v in headers_raw: | |||
| if "_" in k: | |||
There was a problem hiding this comment.
I'd suggest either to internalize the treatment of this condition and of the following replacement (from line 751 to line 754) into a dedicated function with a an explicit naming (e.g formalize_key_naming) and with an explicit docstring explain the purpose of doing this, or to add a comment just before the condition you added here.
I think that without more explanations than that, at the implementation level, many people could wonders why this condition exist.
|
Also, this patch brokes unit tests. I think unit testing need some adjustment to become compatible with this new rule. |
|
Do you plan to declare a new CVE? |
|
I will try to start the process this afternoon :D |
|
Awesome, thank you. |
Headers which contain
_shouldn't be allowed as they could create confusion in incoming requests, allowing, for example, the usage ofCONTENT_LENGTHinstead ofContent-Length.This has already been fixed in various WSGI/proxy servers: