1 files changed, 3 insertions, 0 deletions

diff --git a/django/core/handlers/asgi.py b/django/core/handlers/asgi.py
index 9555860a7e..7ee52088c4 100644
--- a/django/core/handlers/asgi.py
+++ b/django/core/handlers/asgi.py
@@ -90,6 +90,9 @@ class ASGIRequest(HttpRequest):
         _headers = defaultdict(list)
         for name, value in self.scope.get("headers", []):
             name = name.decode("latin1")
+            # Prevent spoofing via ambiguity between underscores and hyphens.
+            if "_" in name:
+                continue
             if name == "content-length":
                 corrected_name = "CONTENT_LENGTH"
             elif name == "content-type":