diff options
Diffstat (limited to 'django/core/handlers/asgi.py')
| -rw-r--r-- | django/core/handlers/asgi.py | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/django/core/handlers/asgi.py b/django/core/handlers/asgi.py index 1ca9130a78..4ce7a31716 100644 --- a/django/core/handlers/asgi.py +++ b/django/core/handlers/asgi.py @@ -87,6 +87,9 @@ class ASGIRequest(HttpRequest): _headers = defaultdict(list) for name, value in self.scope.get("headers", []): name = name.decode("latin1") + # Prevent spoofing via ambiguity between underscores and hyphens. + if "_" in name: + continue if name == "content-length": corrected_name = "CONTENT_LENGTH" elif name == "content-type": |