p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[1.8.x] Fixed #25048 -- Documented that runservers strips headers with underscores. 

refs 316b8d4974

Backport of 7b6d3104f2 from master
This commit is contained in:
Tim Graham 2015-07-09 09:06:28 -04:00
parent fe367db35f
commit 340c410d58
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/ref/request-response.txt
View File

@ -170,6 +170,12 @@ All attributes should be considered read-only, unless stated otherwise below.
header called ``X-Bender`` would be mapped to the ``META`` key header called ``X-Bender`` would be mapped to the ``META`` key
``HTTP_X_BENDER``. ``HTTP_X_BENDER``.
Note that :djadmin:`runserver` strips all headers with underscores in the
name, so you won't see them in ``META``. This prevents header-spoofing
based on ambiguity between underscores and dashes both being normalizing to
underscores in WSGI environment variables. It matches the behavior of
Web servers like Nginx and Apache 2.4+.
.. attribute:: HttpRequest.user .. attribute:: HttpRequest.user
An object of type :setting:`AUTH_USER_MODEL` representing the currently An object of type :setting:`AUTH_USER_MODEL` representing the currently