From 0f5fe8b274787dce770abc5b7bfa7af629ccca7b Mon Sep 17 00:00:00 2001
From: Andrew Godwin <andrew@aeracode.org>
Date: Sat, 2 Jan 2016 18:09:49 -0800
Subject: [PATCH] Modify header sending to match ASGI spec.

---
 daphne/http_protocol.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/daphne/http_protocol.py b/daphne/http_protocol.py
index 795af41..05c9775 100755
--- a/daphne/http_protocol.py
+++ b/daphne/http_protocol.py
@@ -65,19 +65,27 @@ class WebRequest(http.Request):
             self.reply_channel = None
         # Boring old HTTP.
         else:
-            # Send request message
             logging.debug("HTTP %s request for %s", self.method, self.reply_channel)
             self.content.seek(0, 0)
+            # Calculate query string
             query_string = ""
             if "?" in self.uri:
                 query_string = self.uri.split("?", 1)[1]
+            # Sanitize headers
+            headers = {}
+            for name, value in self.requestHeaders.getAllRawHeaders():
+                # Prevent CVE-2015-0219
+                if "_" in name:
+                    continue
+                headers[name.lower()] = value[0]
+            # Send message
             self.factory.channel_layer.send("http.request", {
                 "reply_channel": self.reply_channel,
                 "method": self.method,
                 "path": self.path,
                 "scheme": "http",
                 "query_string": query_string,
-                "headers": {k: v[0] for k, v in self.requestHeaders.getAllRawHeaders()},
+                "headers": headers,
                 "body": self.content.read(),
                 "client": [self.client.host, self.client.port],
                 "server": [self.host.host, self.host.port],