id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
19866	SuspiciousOperation should not be answered with HTTP 500	Daniel Seither	Preston Holmes	"If a request comes in which does not use one of the allowed host names from the ALLOWED_HOSTS setting, a SuspiciousOperation exception is thrown:

{{{
Traceback (most recent call last):

  File ""/srv/virtualenv/sesp/lib/python2.7/site-packages/django/core/handlers/base.py"", line 89, in get_response
    response = middleware_method(request)

  File ""/srv/virtualenv/sesp/lib/python2.7/site-packages/django/middleware/common.py"", line 55, in process_request
    host = request.get_host()

  File ""/srv/virtualenv/sesp/lib/python2.7/site-packages/django/http/__init__.py"", line 223, in get_host
    ""Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s"" % host)

SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): spamserver.net.example
}}}

This results in an internal server error.

I would expect that an HTTP client error (4xx, maybe 403) is sent instead of an HTTP server error, as the error is caused by the client (here: spoofed host name while trying to mount an attack on the server)."	Bug	closed	HTTP handling	dev	Release blocker	fixed		jshuping firass Tomáš KOSTRHUN net147	Accepted	1	0	0	0	0	0