Opened 4 years ago

Closed 4 years ago

#20038 closed Cleanup/optimization (fixed)

Misleading port number in 'Invalid HTTP_HOST header' error message

Reported by: wrr@… Owned by: nobody
Component: HTTP handling Version: 1.5
Severity: Normal Keywords:
Cc: wrr@…, bmispelon@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If port number is incorrectly included in the ALLOWED_HOSTS setting:

ALLOWED_HOSTS = ['foo.example.org:8080']

The raised exception suggests to set ALLOWED_HOSTS to the same incorrect value:

SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): foo.example.org:8080

It would be better for the exception to be thrown like this:

raise SuspiciousOperation("Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host.rsplit(':', 1)[0])

Change History (3)

comment:1 Changed 4 years ago by Jacob

Component: UncategorizedHTTP handling
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

comment:2 Changed 4 years ago by Baptiste Mispelon

Cc: bmispelon@… added
Has patch: set

The fix is actually a bit more complicated than that, because we cannot assume that host is of the form domain:port (it could be an IPV6 address or even complete garbage).

I took a crack at it in my PR: https://github.com/django/django/pull/912

I also wonder if it'd be a good idea to validate settings.ALLOWED_HOSTS (we could make sure that's it's a list, and that no entry contains a port number).

comment:3 Changed 4 years ago by Carl Meyer <carl@…>

Resolution: fixed
Status: newclosed

In c250f9c99b59bb011dae9bc97783458621462b65:

Fixed #20038 -- Better error message for host validation.

Note: See TracTickets for help on using tickets.
Back to Top