Re: [DONE] wml://{security/2015/dla-143.wml}

To: debian-l10n-russian@lists.debian.org
Subject: Re: [DONE] wml://{security/2015/dla-143.wml}
From: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Date: Wed, 8 Jun 2016 10:20:10 +0300
Message-id: <[🔎] 20160608072010.GA30743@localhost.localdomain>
Mail-followup-to: Andrey Skvortsov <andrej.skvortzov@gmail.com>, debian-l10n-russian@lists.debian.org
In-reply-to: <[🔎] E1bADN3-00013K-6w@riseup.net>
References: <[🔎] E1bADN3-00013K-6w@riseup.net>

On 07 Jun, Lev Lamberov wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> - --- english/security/2015/dla-143.wml	2016-04-09 01:32:24.000000000 +0500
> +++ russian/security/2015/dla-143.wml	2016-06-07 14:32:17.696832908 +0500
> @@ -1,80 +1,81 @@
>  
> - -    <p>When HTTP headers are placed into the WSGI environ, they are
> - -    normalized by converting to uppercase, converting all dashes to
> - -    underscores, and prepending HTTP_. For instance, a header X-Auth-User
> - -    would become HTTP_X_AUTH_USER in the WSGI environ (and thus also in
> - -    Django's request.META dictionary).</p>
> - -
> - -    <p>Unfortunately, this means that the WSGI environ cannot distinguish
> - -    between headers containing dashes and headers containing underscores:
> - -    X-Auth-User and X-Auth_User both become HTTP_X_AUTH_USER. This means
> - -    that if a header is used in a security-sensitive way (for instance,
> - -    passing authentication information along from a front-end proxy), even
> - -    if the proxy carefully strips any incoming value for X-Auth-User, an
> - -    attacker may be able to provide an X-Auth_User header (with
> - -    underscore) and bypass this protection.</p>
> - -
> - -    <p>In order to prevent such attacks, both Nginx and Apache 2.4+ strip
> - -    all headers containing underscores from incoming requests by
> - -    default. Django's built-in development server now does the same.
> - -    Django's development server is not recommended for production use,
> - -    but matching the behavior of common production servers reduces the
> - -    surface area for behavior changes during deployment.</p></li>
> +    <p>Когда заголовки HTTP помещаются в окружение WSGI, они
> +    нормализуются путём преобразования в верхних регистр, преобразования всех тире в
преобразования БУКВ в верхниЙ

> +    подчёркивания, и добавления HTTP_. Например, заголовок X-Auth-User
а тут бы я уточнил. "добавления префикса HTTP_"

> +    в окружении WSGI стал бы HTTP_X_AUTH_USER (и в Django словаре
> +    request.META).</p>
> +

-- 
Best regards,
Andrey Skvortsov

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: [DONE] wml://{security/2015/dla-143.wml}
  - From: Lev Lamberov <dogsleg@debian.org>

References:
- [DONE] wml://{security/2015/dla-143.wml}
  - From: Lev Lamberov <dogsleg@debian.org>

Prev by Date: [DONE] wml://{security/2016/dsa-3598.wml}
Next by Date: Re: [DONE] wml://{security/2015/dla-307.wml}
Previous by thread: [DONE] wml://{security/2015/dla-143.wml}
Next by thread: Re: [DONE] wml://{security/2015/dla-143.wml}
Index(es):
- Date
- Thread