Opened 2 years ago

Closed 20 months ago

#19987 closed Bug (fixed)

Basic host validation performed even when DEBUG=True

Reported by: Will Hardy Owned by: nobody
Component: HTTP handling Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Even when DEBUG=True host validation may fail if eg the hostname contains an invalid character (like _). The debug 500 page is not shown, making the cause of the problem difficult to find.

Even if developers are expected to keep their development hostnames clean and valid, a better debug message would be more useful.

Change History (6)

comment:1 Changed 2 years ago by jacob

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted
  • Version changed from 1.5 to master

comment:2 Changed 2 years ago by aaugustin

  • Component changed from Uncategorized to HTTP handling
  • Type changed from Uncategorized to Bug

comment:3 Changed 2 years ago by Will Hardy

I thought I might take a few minutes to help out, even if only by writing a test.

Which approach do you want to take?

  • skip all hostname validation when ALLOWED_HOSTS = ["*"]
  • make sure a normal SuspiciousOperation exception is raised (ie no exception when trying to display debug response)
  • add a different suggestion in exception message for invalid hostnames (ie invalid, but matched in ALLOWED_HOSTS)

comment:4 Changed 2 years ago by Will Hardy

Because the documentation promises that hostname validation is disabled when DEBUG=True, I wrote a patch that does this completely (ie for invalid hostnames too). But I also add an explanation to the SuspiciousOperation exception message as to why an RFC 1034/5 invalid hostname was rejected.

https://github.com/django/django/pull/996

comment:5 Changed 23 months ago by FrankBie

  • Easy pickings set
  • Has patch set
  • Triage Stage changed from Accepted to Ready for checkin

Patch and the Test for Patch are valid and ready to go

comment:6 Changed 20 months ago by Tim Graham <timograham@…>

  • Resolution set to fixed
  • Status changed from new to closed

In 1c3c21b38d154eff0286c194711dced2ac39dd3d:

Fixed #19987 -- Disabled host validation when DEBUG=True.

The documentation promises that host validation is disabled when
DEBUG=True, that all hostnames are accepted. Domains not compliant with
RFC 1034/1035 were however being validated, this validation has now been
removed when DEBUG=True.

Additionally, when DEBUG=False a more detailed SuspiciousOperation
exception message is provided when host validation fails because the
hostname is not RFC 1034/1035 compliant.

Note: See TracTickets for help on using tickets.
Back to Top