get_host shouldn't apply validation to server-set values
|Reported by:||anonymous||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Currently get_host will fall back to SERVER_NAME if there is no usable host header. If that fails, it uses SERVER_NAMEm which is a value set by the server itself. In this case there is no need for validation since the value is not from the request.
We recently ran into this issue when updating to django 1.4.2. We have HAProxy sending requests to nginx, which then connects to gunicorn, which runs our django application, via a unix socket. HAProxy health checks by default include no Host header and so, since the request came through a unix socket, the unix socket is in SERVER_NAME, which then causes the SuspiciousOperation exception to be raised.
I have a patch which I will send a pull request for and will post a link here to that.
Change History (7)
comment:5 Changed 4 years ago by
|Status:||new → closed|