Opened 12 years ago
Closed 12 years ago
#20038 closed Cleanup/optimization (fixed)
Misleading port number in 'Invalid HTTP_HOST header' error message
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | HTTP handling | Version: | 1.5 |
| Severity: | Normal | Keywords: | |
| Cc: | wrr@…, bmispelon@… | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
If port number is incorrectly included in the ALLOWED_HOSTS setting:
ALLOWED_HOSTS = ['foo.example.org:8080']
The raised exception suggests to set ALLOWED_HOSTS to the same incorrect value:
SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): foo.example.org:8080
It would be better for the exception to be thrown like this:
raise SuspiciousOperation("Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host.rsplit(':', 1)[0])
Change History (3)
comment:1 by , 12 years ago
| Component: | Uncategorized → HTTP handling |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → Cleanup/optimization |
comment:2 by , 12 years ago
| Cc: | added |
|---|---|
| Has patch: | set |
comment:3 by , 12 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
The fix is actually a bit more complicated than that, because we cannot assume that
hostis of the formdomain:port(it could be an IPV6 address or even complete garbage).I took a crack at it in my PR: https://github.com/django/django/pull/912
I also wonder if it'd be a good idea to validate
settings.ALLOWED_HOSTS(we could make sure that's it's a list, and that no entry contains a port number).