id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
19867	get_host shouldn't apply validation to server-set values	anonymous	nobody	"Currently get_host will fall back to SERVER_NAME if there is no usable host header. If that fails, it uses SERVER_NAMEm which is a value set by the server itself. In this case there is no need for validation since the value is not from the request.

We recently ran into this issue when updating to django 1.4.2. We have HAProxy sending requests to nginx, which then connects to gunicorn, which runs our django application, via a unix socket. HAProxy health checks by default include no Host header and so, since the request came through a unix socket, the unix socket is in SERVER_NAME, which then causes the SuspiciousOperation exception to be raised.

I have a patch which I will send a pull request for and will post a link here to that."	Bug	closed	HTTP handling	1.4	Normal	wontfix	get_host security		Accepted	1	0	0	0	0	0