Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#19952 closed Bug (invalid)

ALLOWED_HOSTS breaks on subdomains that contain underscores

Reported by: jason@… Owned by: nobody
Component: Uncategorized Version: 1.5
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


I have allowed hosts set to *? on a multitenant CMS, for which users get subdomains that are formatted like this:

However, for users with an underscore in their username, the app 500's with a "SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS):" but works fine for

Change History (3)

comment:1 Changed 5 years ago by Claude Paroz

Resolution: invalid
Status: newclosed

The underscore character is not valid in hostnames (see also explanation in #18517). You can patch django.http.request.host_validation_re in your project, but you've been warned that you don't conform to the standard.

comment:2 Changed 5 years ago by Will Hardy

I agree that underscored host names should not be accepted, but the validation is performed even when DEBUG = True (ie ALLOWED_HOSTS = ["*"]).

This was annoying because I was using a custom name in /etc/hosts to connect to a test server and it wasn't clear why it had failed (the 500 debug page could not be displayed).

comment:3 Changed 5 years ago by anonymous

I gave this side issue its own ticket: #19987

Note: See TracTickets for help on using tickets.
Back to Top