Opened 4 years ago

Closed 3 years ago

#19987 closed Bug (fixed)

Basic host validation performed even when DEBUG=True

Reported by: Will Hardy Owned by: nobody
Component: HTTP handling Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Even when DEBUG=True host validation may fail if eg the hostname contains an invalid character (like _). The debug 500 page is not shown, making the cause of the problem difficult to find.

Even if developers are expected to keep their development hostnames clean and valid, a better debug message would be more useful.

Change History (6)

comment:1 Changed 4 years ago by Jacob

Triage Stage: UnreviewedAccepted
Version: 1.5master

comment:2 Changed 4 years ago by Aymeric Augustin

Component: UncategorizedHTTP handling
Type: UncategorizedBug

comment:3 Changed 4 years ago by Will Hardy

I thought I might take a few minutes to help out, even if only by writing a test.

Which approach do you want to take?

  • skip all hostname validation when ALLOWED_HOSTS = ["*"]
  • make sure a normal SuspiciousOperation exception is raised (ie no exception when trying to display debug response)
  • add a different suggestion in exception message for invalid hostnames (ie invalid, but matched in ALLOWED_HOSTS)

comment:4 Changed 4 years ago by Will Hardy

Because the documentation promises that hostname validation is disabled when DEBUG=True, I wrote a patch that does this completely (ie for invalid hostnames too). But I also add an explanation to the SuspiciousOperation exception message as to why an RFC 1034/5 invalid hostname was rejected.

https://github.com/django/django/pull/996

comment:5 Changed 4 years ago by FrankBie

Easy pickings: set
Has patch: set
Triage Stage: AcceptedReady for checkin

Patch and the Test for Patch are valid and ready to go

comment:6 Changed 3 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: newclosed

In 1c3c21b38d154eff0286c194711dced2ac39dd3d:

Fixed #19987 -- Disabled host validation when DEBUG=True.

The documentation promises that host validation is disabled when
DEBUG=True, that all hostnames are accepted. Domains not compliant with
RFC 1034/1035 were however being validated, this validation has now been
removed when DEBUG=True.

Additionally, when DEBUG=False a more detailed SuspiciousOperation
exception message is provided when host validation fails because the
hostname is not RFC 1034/1035 compliant.

Note: See TracTickets for help on using tickets.
Back to Top