-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SCRIPT_NAME header is dropped/rejected by header map validation #3200
Comments
Sorry, my attempt at closing the dash/underscore problem modified was excessive for that use case. Note that when gunicorn pulls something from a header and puts it into environ the problem is slightly different. The issue then is not that the application cannot tell which You can neutralize the code discarding the underscore headers using the --header-map dangerous escape hatch provided in the same patch. Do so only when you know your application (or applicable frameworks & libraries) will robustly deal with maliciously crafted invalid input in such headers (if they can receive such). A more nuanced solution is suggested in #3192 but still needs better documentation and review. |
here's a minimalish repro, in case it's helpful to anyone: https://github.com/sartography/repro-gunicorn-22-0-0-regression |
From the Gunicorn documentation, and the corresponding code, it is possible to use a
SCRIPT_NAME
HTTP header to set theSCRIPT_NAME
key in the WSGI environment for the corresponding request.However, as
SCRIPT_NAME
contains an underscore, it is dropped by the new code inparse_headers
by default.I think that
SCRIPT_NAME
should be special-cased by the header validation logic, as it cannot be confused (it never gets added asHTTP_SCRIPT_NAME
in the WSGI environment, so it would never conflict with aScript-Name
header anyway).The text was updated successfully, but these errors were encountered: