Why does waitress ignore http headers with "_" ? #194

bostrick · 2018-05-20T22:55:37Z

When parsing headers, waitress ignores any any HTTP header with "_"...

https://github.com/Pylons/waitress/blob/master/waitress/parser.py#L185

This is non-intuitive, and against RFC7230 spec...

https://tools.ietf.org/html/rfc7230#appendix-B

header-field = field-name ":" OWS field-value OWS
field-name = token
token = 1*tchar
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." /
"^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA

This led to wasted effort debugging the wrong layer of a protocol before using a packet sniffer... is there a reason for it?

Thanks!

The text was updated successfully, but these errors were encountered:

digitalresistor · 2018-05-20T23:09:06Z

Yes, there is a reason for it. Security.

Please see #129

As mentioned in https://www.djangoproject.com/weblog/2015/jan/13/security/ which led to #80, and underscore in HTTP headers being stripped being implemented in Waitress:

In order to prevent such attacks, both Nginx and Apache 2.4+ strip all headers containing underscores from incoming requests by default.

bostrick · 2018-05-20T23:14:21Z

Thanks for quick response! I'll file against mod_auth_openidc for introducing subtly problematic default headers ;)...

bostrick mentioned this issue May 20, 2018

Remove non-RFC7230 compliant filtering of "_" from HTTP headers #195

Closed

digitalresistor closed this as completed May 20, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Why does waitress ignore http headers with "_" ? #194

Why does waitress ignore http headers with "_" ? #194

bostrick commented May 20, 2018

digitalresistor commented May 20, 2018

bostrick commented May 20, 2018

Why does waitress ignore http headers with "_" ? #194

Why does waitress ignore http headers with "_" ? #194

Comments

bostrick commented May 20, 2018

digitalresistor commented May 20, 2018

bostrick commented May 20, 2018