Clear out sensitive fake headers from client

We use the header dict to pass on non-header information to the
authentication plugins. Make sure an evil client isn't trying to sneak
something in that hasn't been verified by us.

Issue found by Kevin Rasmussen.

Author: CendioOssman

websockify/websocketproxy.py

@@ -60,6 +60,12 @@ def auth_connection(self):
         if not self.server.auth_plugin:
             return
 
+        # clear out any existing SSL_ headers that the client might
+        # have maliciously set
+        ssl_headers = [ h for h in self.headers if h.startswith('SSL_') ]
+        for h in ssl_headers:
+            del self.headers[h]
+
         try:
             # get client certificate data
             client_cert_data = self.request.getpeercert()