bug fix for StaticContent and CachingMiddleware

PEP333 says that the headers list passed to start_response may be modified by
servers or middlewares. In fact this happens in DigestAuthMiddleware. The
StaticContent and CachingMiddleware classes did not take this into account and
returned the same headers list multiple times which is wrong and can lead to
denial of service.

2 files changed, 3 insertions, 3 deletions

diff --git a/wsgitools/applications.py b/wsgitools/applications.py
index 63ed63c..8a02fe8 100644
--- a/wsgitools/applications.py
+++ b/wsgitools/applications.py
@@ -54,7 +54,7 @@ class StaticContent:
             start_response("501 Not Implemented",
                            [("Content-length", str(len(resp)))])
             return [resp]
-        start_response(self.status, self.headers)
+        start_response(self.status, list(self.headers))
         if environ["REQUEST_METHOD"].upper() == "HEAD":
             return []
         return self.content
diff --git a/wsgitools/middlewares.py b/wsgitools/middlewares.py
index 46a93f5..654f5db 100644
--- a/wsgitools/middlewares.py
+++ b/wsgitools/middlewares.py
@@ -260,7 +260,7 @@ class CachingMiddleware:
         if path in self.cache and self.cacheable(environ):
             cache_object = self.cache[path]
             if cache_object[0] + self.maxage >= now:
-                start_response(cache_object[1], cache_object[2])
+                start_response(cache_object[1], list(cache_object[2]))
                 return cache_object[3]
             else:
                 del self.cache[path]
@@ -272,7 +272,7 @@ class CachingMiddleware:
                 return self.app(status, headers, exc_info)
             cache_object[1] = status
             cache_object[2] = headers
-            write = start_response(status, headers)
+            write = start_response(status, list(headers))
             def modified_write(data):
                 cache_object[3].append(data)
                 write(data)