On 07 Jun, Lev Lamberov wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > - --- english/security/2015/dla-143.wml 2016-04-09 01:32:24.000000000 +0500 > +++ russian/security/2015/dla-143.wml 2016-06-07 14:32:17.696832908 +0500 > @@ -1,80 +1,81 @@ > > - - <p>When HTTP headers are placed into the WSGI environ, they are > - - normalized by converting to uppercase, converting all dashes to > - - underscores, and prepending HTTP_. For instance, a header X-Auth-User > - - would become HTTP_X_AUTH_USER in the WSGI environ (and thus also in > - - Django's request.META dictionary).</p> > - - > - - <p>Unfortunately, this means that the WSGI environ cannot distinguish > - - between headers containing dashes and headers containing underscores: > - - X-Auth-User and X-Auth_User both become HTTP_X_AUTH_USER. This means > - - that if a header is used in a security-sensitive way (for instance, > - - passing authentication information along from a front-end proxy), even > - - if the proxy carefully strips any incoming value for X-Auth-User, an > - - attacker may be able to provide an X-Auth_User header (with > - - underscore) and bypass this protection.</p> > - - > - - <p>In order to prevent such attacks, both Nginx and Apache 2.4+ strip > - - all headers containing underscores from incoming requests by > - - default. Django's built-in development server now does the same. > - - Django's development server is not recommended for production use, > - - but matching the behavior of common production servers reduces the > - - surface area for behavior changes during deployment.</p></li> > + <p>Когда заголовки HTTP помещаются в окружение WSGI, они > + нормализуются путём преобразования в верхних регистр, преобразования всех тире в преобразования БУКВ в верхниЙ > + подчёркивания, и добавления HTTP_. Например, заголовок X-Auth-User а тут бы я уточнил. "добавления префикса HTTP_" > + в окружении WSGI стал бы HTTP_X_AUTH_USER (и в Django словаре > + request.META).</p> > + -- Best regards, Andrey Skvortsov
Attachment:
signature.asc
Description: PGP signature