summaryrefslogtreecommitdiff
path: root/docs/releases/4.2.30.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases/4.2.30.txt')
-rw-r--r--docs/releases/4.2.30.txt20
1 files changed, 20 insertions, 0 deletions
diff --git a/docs/releases/4.2.30.txt b/docs/releases/4.2.30.txt
index a2679c7736..30ffd4eb9d 100644
--- a/docs/releases/4.2.30.txt
+++ b/docs/releases/4.2.30.txt
@@ -6,3 +6,23 @@ Django 4.2.30 release notes
Django 4.2.30 fixes one security issue with severity "moderate" and four
security issues with severity "low" in 4.2.29.
+
+CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
+====================================================================
+
+``ASGIRequest`` normalizes header names following WSGI conventions, mapping
+hyphens to underscores. As a result, even in configurations where reverse
+proxies carefully strip security-sensitive headers named with hyphens, such a
+header could be spoofed by supplying a header named with underscores.
+
+Under WSGI, it is the responsibility of the server or proxy to avoid ambiguous
+mappings. (Django's :djadmin:`runserver` was patched in :cve:`2015-0219`.) But
+under ASGI, there is not the same uniform expectation, even if many proxies
+protect against this under default configuration (including ``nginx`` via
+``underscores_in_headers off;``).
+
+Headers containing underscores are now ignored by ``ASGIRequest``, matching the
+behavior of :pypi:`Daphne <daphne>`, the reference server for ASGI.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
generated by cgit v1.3 (git 2.53.0) at 2026-06-30 18:21:10 +0000