blob: 30ffd4eb9d2a7072784b4552599dec955dbf926f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
===========================
Django 4.2.30 release notes
===========================
*April 7, 2026*
Django 4.2.30 fixes one security issue with severity "moderate" and four
security issues with severity "low" in 4.2.29.
CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
====================================================================
``ASGIRequest`` normalizes header names following WSGI conventions, mapping
hyphens to underscores. As a result, even in configurations where reverse
proxies carefully strip security-sensitive headers named with hyphens, such a
header could be spoofed by supplying a header named with underscores.
Under WSGI, it is the responsibility of the server or proxy to avoid ambiguous
mappings. (Django's :djadmin:`runserver` was patched in :cve:`2015-0219`.) But
under ASGI, there is not the same uniform expectation, even if many proxies
protect against this under default configuration (including ``nginx`` via
``underscores_in_headers off;``).
Headers containing underscores are now ignored by ``ASGIRequest``, matching the
behavior of :pypi:`Daphne <daphne>`, the reference server for ASGI.
This issue has severity "low" according to the :ref:`Django security policy
<security-disclosure>`.
|
