Comments (7)
Thank you very much @carltongibson! I was about to start working on this just now, only to find that you've beaten me to it :)
from daphne.
Of particular note is that \x00
, \t
, and
are permitted, which have historically been sources of exploitable parsing discrepancies between origin servers and gateway servers.
from daphne.
@kenballus thanks for the report. Are you up for making a PR here?
from daphne.
h11 gives a regex for a header name here:
That's then validated when parsing the headers here: https://github.com/python-hyper/h11/blob/a2c68948accadc3876dffcf979d98002e4a4ed27/h11/_headers.py#L163
Gunicorn does similar here https://github.com/benoitc/gunicorn/blob/cf55d2cec277f220ebd605989ce78ad1bb553c46/gunicorn/http/message.py#L92-L93 (but matching bad headers, with what looks like a more complex regex.)
We'd handle that in the http and ws protocols:
daphne/daphne/http_protocol.py
Lines 147 to 158 in 993efe6
Lines 37 to 44 in 993efe6
Need to investigate whether this should be handled by twisted. https://github.com/twisted/twisted/blob/446ee139189440e890b26a29af256e9b9d0e8eba/src/twisted/web/http_headers.py
from daphne.
h11 test examples for no weird characters in names
are here:
from daphne.
Should be addressed by #500.
from daphne.
You're welcome @kenballus. Thanks for the follow up. 🎁
from daphne.
Related Issues (20)
- issuse when i using daphe in my django app with streaminghttpresponse HOT 7
- Can daphne run WSGI apps? HOT 6
- Does daphne have a file for initialization?
- Requests with Transfer-Encoding: chunked have no content HOT 15
- StreamHttpResponse with sync operations break in Daphne HOT 5
- Memory usage: Daphne loading all the file in memory (POST request) HOT 7
- Text streaming buffered issue
- Implement WebSocket Denial Response extension HOT 8
- [feature request] trailing headers HOT 1
- Add support for Python 3.12
- DeprecationWarning: 'cgi' is deprecated and slated for removal in Python 3.13 HOT 1
- Daphne with self signed ssl HOT 2
- Unix File Socket Argument HOT 12
- TypeError: object HttpResponse can't be used in 'await' expression HOT 3
- add support for --proxy-headers and friends in runserver HOT 4
- fd_endpoint.py is not properly installed HOT 7
- python manage.py runserver not working HOT 5
- Daphne - Twisted custom cipher list using set_cipher method HOT 3
- --noasgi won't serve static files HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from daphne.