diff options
Diffstat (limited to 'django')
| -rw-r--r-- | django/core/handlers/asgi.py | 3 | ||||
| -rw-r--r-- | django/test/client.py | 5 |
2 files changed, 7 insertions, 1 deletions
diff --git a/django/core/handlers/asgi.py b/django/core/handlers/asgi.py index 9555860a7e..7ee52088c4 100644 --- a/django/core/handlers/asgi.py +++ b/django/core/handlers/asgi.py @@ -90,6 +90,9 @@ class ASGIRequest(HttpRequest): _headers = defaultdict(list) for name, value in self.scope.get("headers", []): name = name.decode("latin1") + # Prevent spoofing via ambiguity between underscores and hyphens. + if "_" in name: + continue if name == "content-length": corrected_name = "CONTENT_LENGTH" elif name == "content-type": diff --git a/django/test/client.py b/django/test/client.py index c7cdd24abf..0f986d5a6c 100644 --- a/django/test/client.py +++ b/django/test/client.py @@ -773,7 +773,10 @@ class AsyncRequestFactory(RequestFactory): if headers: extra.update(HttpHeaders.to_asgi_names(headers)) s["headers"] += [ - (key.lower().encode("ascii"), value.encode("latin1")) + # Avoid breaking test clients that just want to supply normalized + # ASGI names, regardless of the fact that ASGIRequest drops headers + # with underscores (CVE-2026-3902). + (key.lower().replace("_", "-").encode("ascii"), value.encode("latin1")) for key, value in extra.items() ] return self.request(**s) |