Opened 12 years ago
Closed 11 years ago
#19987 closed Bug (fixed)
Basic host validation performed even when DEBUG=True
| Reported by: | Will Hardy | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
Even when DEBUG=True host validation may fail if eg the hostname contains an invalid character (like _). The debug 500 page is not shown, making the cause of the problem difficult to find.
Even if developers are expected to keep their development hostnames clean and valid, a better debug message would be more useful.
Change History (6)
comment:1 by , 12 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|---|
| Version: | 1.5 → master |
comment:2 by , 12 years ago
| Component: | Uncategorized → HTTP handling |
|---|---|
| Type: | Uncategorized → Bug |
comment:3 by , 12 years ago
comment:4 by , 12 years ago
Because the documentation promises that hostname validation is disabled when DEBUG=True, I wrote a patch that does this completely (ie for invalid hostnames too). But I also add an explanation to the SuspiciousOperation exception message as to why an RFC 1034/5 invalid hostname was rejected.
comment:5 by , 11 years ago
| Easy pickings: | set |
|---|---|
| Has patch: | set |
| Triage Stage: | Accepted → Ready for checkin |
Patch and the Test for Patch are valid and ready to go
comment:6 by , 11 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
I thought I might take a few minutes to help out, even if only by writing a test.
Which approach do you want to take?
ALLOWED_HOSTS = ["*"]SuspiciousOperationexception is raised (ie no exception when trying to display debug response)ALLOWED_HOSTS)