Opened 12 years ago
Closed 11 years ago
#19987 closed Bug (fixed)
Basic host validation performed even when DEBUG=True
Reported by: | Will Hardy | Owned by: | nobody |
---|---|---|---|
Component: | HTTP handling | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
Even when DEBUG=True
host validation may fail if eg the hostname contains an invalid character (like _
). The debug 500 page is not shown, making the cause of the problem difficult to find.
Even if developers are expected to keep their development hostnames clean and valid, a better debug message would be more useful.
Change History (6)
comment:1 by , 12 years ago
Triage Stage: | Unreviewed → Accepted |
---|---|
Version: | 1.5 → master |
comment:2 by , 12 years ago
Component: | Uncategorized → HTTP handling |
---|---|
Type: | Uncategorized → Bug |
comment:3 by , 12 years ago
comment:4 by , 12 years ago
Because the documentation promises that hostname validation is disabled when DEBUG=True, I wrote a patch that does this completely (ie for invalid hostnames too). But I also add an explanation to the SuspiciousOperation
exception message as to why an RFC 1034/5 invalid hostname was rejected.
comment:5 by , 11 years ago
Easy pickings: | set |
---|---|
Has patch: | set |
Triage Stage: | Accepted → Ready for checkin |
Patch and the Test for Patch are valid and ready to go
comment:6 by , 11 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
I thought I might take a few minutes to help out, even if only by writing a test.
Which approach do you want to take?
ALLOWED_HOSTS = ["*"]
SuspiciousOperation
exception is raised (ie no exception when trying to display debug response)ALLOWED_HOSTS
)