About WSGI header spoofing via underscore/dash conflation
82 views
Skip to first unread message
Dario Palmisano
Jan 14, 2020, 7:16:23 AM1/14/20
to django...@googlegroups.com
Hello Everyone,
I have a Django project deployed via apache/uwsgi. But things do not
work ... as described (in
https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpRequest.META).
I would expect all request headers to be converted to "META keys by
converting all characters to uppercase, replacing any hyphens with
underscores and adding an HTTP_ prefix to the name", but instead they
are not!
Does anyone know why? Is it possible the conversion is performed on http
protcol only (not on https which I am using)? Is there any
switch/configuration parameter that enable/disable this conversion?
Any hint explaining the behavior will be really appreciated!
Thanks in advance for your kind advice
Dario
P.S.: The following is the content of requirements.txt
certifi==2018.4.16
cffi==1.11.5
chardet==3.0.4
django-cors-headers==2.2.0
django-simple-history==2.0
djangorestframework==3.7.7
docker==3.5.1
docker-pycreds>=0.3.0
idna==2.6
mysqlclient>=1.3,<1.4
pycparser==2.18
pytz==2018.3
requests>=2.20,<2.21
six==1.11.0
urllib3>=1.23,<1.24
websocket-client==0.47.0
Django==2.1.2
gunicorn>=19.5.0,<19.6
django-filter==2.0.0
mozilla-django-oidc==1.2.1
python-dateutil==2.8.0
I have a Django project deployed via apache/uwsgi. But things do not
work ... as described (in
https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpRequest.META).
I would expect all request headers to be converted to "META keys by
converting all characters to uppercase, replacing any hyphens with
underscores and adding an HTTP_ prefix to the name", but instead they
are not!
Does anyone know why? Is it possible the conversion is performed on http
protcol only (not on https which I am using)? Is there any
switch/configuration parameter that enable/disable this conversion?
Any hint explaining the behavior will be really appreciated!
Thanks in advance for your kind advice
Dario
P.S.: The following is the content of requirements.txt
certifi==2018.4.16
cffi==1.11.5
chardet==3.0.4
django-cors-headers==2.2.0
django-simple-history==2.0
djangorestframework==3.7.7
docker==3.5.1
docker-pycreds>=0.3.0
idna==2.6
mysqlclient>=1.3,<1.4
pycparser==2.18
pytz==2018.3
requests>=2.20,<2.21
six==1.11.0
urllib3>=1.23,<1.24
websocket-client==0.47.0
Django==2.1.2
gunicorn>=19.5.0,<19.6
django-filter==2.0.0
mozilla-django-oidc==1.2.1
python-dateutil==2.8.0
Reply all
Reply to author
Forward
0 new messages