Opened 2 years ago

Closed 2 years ago

#20038 closed Cleanup/optimization (fixed)

Misleading port number in 'Invalid HTTP_HOST header' error message

Reported by: wrr@… Owned by: nobody
Component: HTTP handling Version: 1.5
Severity: Normal Keywords:
Cc: wrr@…, bmispelon@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If port number is incorrectly included in the ALLOWED_HOSTS setting:

ALLOWED_HOSTS = ['foo.example.org:8080']

The raised exception suggests to set ALLOWED_HOSTS to the same incorrect value:

SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): foo.example.org:8080

It would be better for the exception to be thrown like this:

raise SuspiciousOperation("Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host.rsplit(':', 1)[0])

Change History (3)

comment:1 Changed 2 years ago by jacob

  • Component changed from Uncategorized to HTTP handling
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted
  • Type changed from Uncategorized to Cleanup/optimization

comment:2 Changed 2 years ago by bmispelon

  • Cc bmispelon@… added
  • Has patch set

The fix is actually a bit more complicated than that, because we cannot assume that host is of the form domain:port (it could be an IPV6 address or even complete garbage).

I took a crack at it in my PR: https://github.com/django/django/pull/912

I also wonder if it'd be a good idea to validate settings.ALLOWED_HOSTS (we could make sure that's it's a list, and that no entry contains a port number).

comment:3 Changed 2 years ago by Carl Meyer <carl@…>

  • Resolution set to fixed
  • Status changed from new to closed

In c250f9c99b59bb011dae9bc97783458621462b65:

Fixed #20038 -- Better error message for host validation.

Note: See TracTickets for help on using tickets.
Back to Top