Code

#20038 closed Cleanup/optimization (fixed)

Misleading port number in 'Invalid HTTP_HOST header' error message

Reported by: wrr@… Owned by: nobody
Component: HTTP handling Version: 1.5
Severity: Normal Keywords:
Cc: wrr@…, bmispelon@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If port number is incorrectly included in the ALLOWED_HOSTS setting:

ALLOWED_HOSTS = ['foo.example.org:8080']

The raised exception suggests to set ALLOWED_HOSTS to the same incorrect value:

SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): foo.example.org:8080

It would be better for the exception to be thrown like this:

raise SuspiciousOperation("Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host.rsplit(':', 1)[0])

Attachments (0)

Change History (3)

comment:1 Changed 13 months ago by jacob

  • Component changed from Uncategorized to HTTP handling
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted
  • Type changed from Uncategorized to Cleanup/optimization

comment:2 Changed 13 months ago by bmispelon

  • Cc bmispelon@… added
  • Has patch set

The fix is actually a bit more complicated than that, because we cannot assume that host is of the form domain:port (it could be an IPV6 address or even complete garbage).

I took a crack at it in my PR: https://github.com/django/django/pull/912

I also wonder if it'd be a good idea to validate settings.ALLOWED_HOSTS (we could make sure that's it's a list, and that no entry contains a port number).

comment:3 Changed 13 months ago by Carl Meyer <carl@…>

  • Resolution set to fixed
  • Status changed from new to closed

In c250f9c99b59bb011dae9bc97783458621462b65:

Fixed #20038 -- Better error message for host validation.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.