SuspiciousOperation should not be answered with HTTP 500
|Reported by:||Daniel Seither||Owned by:||Preston Holmes|
|Cc:||jshuping, firass, Tomáš KOSTRHUN, net147||Triage Stage:||Accepted|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
If a request comes in which does not use one of the allowed host names from the ALLOWED_HOSTS setting, a SuspiciousOperation exception is thrown:
Traceback (most recent call last): File "/srv/virtualenv/sesp/lib/python2.7/site-packages/django/core/handlers/base.py", line 89, in get_response response = middleware_method(request) File "/srv/virtualenv/sesp/lib/python2.7/site-packages/django/middleware/common.py", line 55, in process_request host = request.get_host() File "/srv/virtualenv/sesp/lib/python2.7/site-packages/django/http/__init__.py", line 223, in get_host "Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host) SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): spamserver.net.example
This results in an internal server error.
I would expect that an HTTP client error (4xx, maybe 403) is sent instead of an HTTP server error, as the error is caused by the client (here: spoofed host name while trying to mount an attack on the server).
Change History (29)
comment:8 Changed 4 years ago by
|Summary:||Spoofed host name (not in ALLOWED_HOSTS) should not be answered with HTTP 500 → SuspiciousOperation should not be answered with HTTP 500|
comment:22 Changed 4 years ago by
|Owner:||changed from nobody to Preston Holmes|
|Status:||new → assigned|