diff --git a/daphne/http_protocol.py b/daphne/http_protocol.py index b2304df..d1358bf 100755 --- a/daphne/http_protocol.py +++ b/daphne/http_protocol.py @@ -41,12 +41,12 @@ class WebRequest(http.Request): if b"?" in self.uri: self.query_string = self.uri.split(b"?", 1)[1] # Sanitize headers - self.headers = {} + self.clean_headers = {} for name, value in self.requestHeaders.getAllRawHeaders(): # Prevent CVE-2015-0219 if b"_" in name: continue - self.headers[name.lower().decode("latin1")] = value[0] + self.clean_headers[name.lower().decode("latin1")] = value[0] # Is it WebSocket? IS IT?! if upgrade_header == "websocket": # Make WebSocket protocol to hand off to @@ -88,7 +88,7 @@ class WebRequest(http.Request): "path": self.path, "scheme": "http", "query_string": self.query_string, - "headers": self.headers, + "headers": self.clean_headers, "body": self.content.read(), "client": [self.client.host, self.client.port], "server": [self.host.host, self.host.port], diff --git a/daphne/ws_protocol.py b/daphne/ws_protocol.py index ed3544c..99b8754 100755 --- a/daphne/ws_protocol.py +++ b/daphne/ws_protocol.py @@ -21,7 +21,7 @@ class WebSocketProtocol(WebSocketServerProtocol): def onConnect(self, request): self.request_info = { "path": request.path, - "headers": self.headers, + "headers": self.clean_headers, "query_string": request.query_string, "client": [request.client.host, request.client.port], "server": [request.host.host, request.host.port],