[5.2.x] Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.

Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart
for reviews.

Backport of caf90a971f09323775ed0cacf94eadaf39d040e0 from main.

2 files changed, 7 insertions, 1 deletions

diff --git a/django/core/handlers/asgi.py b/django/core/handlers/asgi.py
index 2dfcc7f31d..16eda736bd 100644
--- a/django/core/handlers/asgi.py
+++ b/django/core/handlers/asgi.py
@@ -87,6 +87,9 @@ class ASGIRequest(HttpRequest):
         _headers = defaultdict(list)
         for name, value in self.scope.get("headers", []):
             name = name.decode("latin1")
+            # Prevent spoofing via ambiguity between underscores and hyphens.
+            if "_" in name:
+                continue
             if name == "content-length":
                 corrected_name = "CONTENT_LENGTH"
             elif name == "content-type":
diff --git a/django/test/client.py b/django/test/client.py
index c733372130..6b33b442f8 100644
--- a/django/test/client.py
+++ b/django/test/client.py
@@ -773,7 +773,10 @@ class AsyncRequestFactory(RequestFactory):
         if headers:
             extra.update(HttpHeaders.to_asgi_names(headers))
         s["headers"] += [
-            (key.lower().encode("ascii"), value.encode("latin1"))
+            # Avoid breaking test clients that just want to supply normalized
+            # ASGI names, regardless of the fact that ASGIRequest drops headers
+            # with underscores (CVE-2026-3902).
+            (key.lower().replace("_", "-").encode("ascii"), value.encode("latin1"))
             for key, value in extra.items()
         ]
         return self.request(**s)