Ticket #24239: 0001-1.4.x-Fixed-24239-merge-both-WSGIRequestHandler.get_.patch

File 0001-1.4.x-Fixed-24239-merge-both-WSGIRequestHandler.get_.patch, 2.3 KB (added by Raphaël Hertzog, 5 years ago)

Suggested patch

  • django/core/servers/basehttp.py

    From b5cfe770f4ed31ded4bcd477f8a3e5060bd52f84 Mon Sep 17 00:00:00 2001
    From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= <hertzog@debian.org>
    Date: Wed, 28 Jan 2015 17:56:04 +0100
    Subject: [PATCH] [1.4.x] Fixed #24239 -- merge both
     WSGIRequestHandler.get_environ() methods
    MIME-Version: 1.0
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: 8bit
    
    Commit 4f6fffc1dc429f1ad428ecf8e6620739e8837450 incorrectly added a
    get_environ() method that replaced the original implementation. Instead
    the filtering logic should have been merged into the pre-existing
    get_environ().
    
    Signed-off-by: Raphaël Hertzog <hertzog@debian.org>
    ---
     django/core/servers/basehttp.py | 19 ++++++++-----------
     1 file changed, 8 insertions(+), 11 deletions(-)
    
    diff --git a/django/core/servers/basehttp.py b/django/core/servers/basehttp.py
    index 0ec5f98..ef18687 100644
    a b class WSGIRequestHandler(simple_server.WSGIRequestHandler, object): 
    160160        if length:
    161161            env['CONTENT_LENGTH'] = length
    162162
     163        # Strip all headers with underscores in the name before constructing
     164        # the WSGI environ. This prevents header-spoofing based on ambiguity
     165        # between underscores and dashes both normalized to underscores in WSGI
     166        # env vars. Nginx and Apache 2.4+ both do this as well.
     167        for k, v in self.headers.items():
     168            if '_' in k:
     169                del self.headers[k]
     170
    163171        for h in self.headers.headers:
    164172            k,v = h.split(':',1)
    165173            k=k.replace('-','_').upper(); v=v.strip()
    class WSGIRequestHandler(simple_server.WSGIRequestHandler, object): 
    199207
    200208        sys.stderr.write(msg)
    201209
    202     def get_environ(self):
    203         # Strip all headers with underscores in the name before constructing
    204         # the WSGI environ. This prevents header-spoofing based on ambiguity
    205         # between underscores and dashes both normalized to underscores in WSGI
    206         # env vars. Nginx and Apache 2.4+ both do this as well.
    207         for k, v in self.headers.items():
    208             if '_' in k:
    209                 del self.headers[k]
    210 
    211         return super(WSGIRequestHandler, self).get_environ()
    212 
    213210
    214211class AdminMediaHandler(handlers.StaticFilesHandler):
    215212    """
Back to Top