Opened 12 years ago
Closed 12 years ago
#20038 closed Cleanup/optimization (fixed)
Misleading port number in 'Invalid HTTP_HOST header' error message
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | HTTP handling | Version: | 1.5 |
Severity: | Normal | Keywords: | |
Cc: | wrr@…, bmispelon@… | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
If port number is incorrectly included in the ALLOWED_HOSTS setting:
ALLOWED_HOSTS = ['foo.example.org:8080']
The raised exception suggests to set ALLOWED_HOSTS to the same incorrect value:
SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): foo.example.org:8080
It would be better for the exception to be thrown like this:
raise SuspiciousOperation("Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host.rsplit(':', 1)[0])
Change History (3)
comment:1 by , 12 years ago
Component: | Uncategorized → HTTP handling |
---|---|
Triage Stage: | Unreviewed → Accepted |
Type: | Uncategorized → Cleanup/optimization |
comment:2 by , 12 years ago
Cc: | added |
---|---|
Has patch: | set |
comment:3 by , 12 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
The fix is actually a bit more complicated than that, because we cannot assume that
host
is of the formdomain:port
(it could be an IPV6 address or even complete garbage).I took a crack at it in my PR: https://github.com/django/django/pull/912
I also wonder if it'd be a good idea to validate
settings.ALLOWED_HOSTS
(we could make sure that's it's a list, and that no entry contains a port number).