Opened 3 years ago

Closed 3 years ago

Last modified 2 years ago

#19952 closed Bug (invalid)

ALLOWED_HOSTS breaks on subdomains that contain underscores

Reported by: jason@… Owned by: nobody
Component: Uncategorized Version: 1.5
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I have allowed hosts set to *? on a multitenant CMS, for which users get subdomains that are formatted like this: username.portfolios.mysite.com

However, for users with an underscore in their username, the app 500's with a "SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): some_username.portfolios.mysite.com" but works fine for someusername.portfolios.mysite.com

Change History (3)

comment:1 Changed 3 years ago by claudep

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

The underscore character is not valid in hostnames (see also explanation in #18517). You can patch django.http.request.host_validation_re in your project, but you've been warned that you don't conform to the standard.

comment:2 Changed 2 years ago by Will Hardy

I agree that underscored host names should not be accepted, but the validation is performed even when DEBUG = True (ie ALLOWED_HOSTS = ["*"]).

This was annoying because I was using a custom name in /etc/hosts to connect to a test server and it wasn't clear why it had failed (the 500 debug page could not be displayed).

comment:3 Changed 2 years ago by anonymous

I gave this side issue its own ticket: #19987

Note: See TracTickets for help on using tickets.
Back to Top