Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.

Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart for reviews.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2026-01-22 17:01:46 -0500
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-04-07 07:12:09 -0400
commit: caf90a971f09323775ed0cacf94eadaf39d040e0 (patch)
tree: ff6c10819e86d176f7ba36d2922374a8e7ee253e /tests
parent: 33bfc66add643f49d466c5a646989ad91677753d (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/tests/asgi/tests.py b/tests/asgi/tests.py
index 6a44d21d38..19e14af5ca 100644
--- a/tests/asgi/tests.py
+++ b/tests/asgi/tests.py
@@ -280,6 +280,17 @@ class ASGITest(SimpleTestCase):
         self.assertEqual(len(request.headers["foo"].split(",")), 200_000)
         self.assertLessEqual(setitem_count, 100)
 
+    async def test_underscores_in_headers_ignored(self):
+        scope = self.async_request_factory._base_scope(path="/", http_version="2.0")
+        scope["headers"] = [(b"some_header", b"1")]
+        request = ASGIRequest(scope, None)
+        # No form of the header exists anywhere.
+        self.assertNotIn("Some_Header", request.headers)
+        self.assertNotIn("Some-Header", request.headers)
+        self.assertNotIn("SOME_HEADER", request.META)
+        self.assertNotIn("SOME-HEADER", request.META)
+        self.assertNotIn("HTTP_SOME_HEADER", request.META)
+
     async def test_cancel_post_request_with_sync_processing(self):
         """
         The request.body object should be available and readable in view
author	Jacob Walls <jacobtylerwalls@gmail.com>	2026-01-22 17:01:46 -0500
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-04-07 07:12:09 -0400
commit	caf90a971f09323775ed0cacf94eadaf39d040e0 (patch)
tree	ff6c10819e86d176f7ba36d2922374a8e7ee253e /tests
parent	33bfc66add643f49d466c5a646989ad91677753d (diff)