Opened 10 years ago
Closed 10 years ago
#21921 closed Bug (duplicate)
host_validation_re does not match IPv6 addresses
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Validation of the host part fails, falsely raising SuspiciousOperation
validate_host() or split_domain_port() in django.http.request try to match the Host: value against the following RegExp:
host_validation_re = re.compile(r"([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$")
The issue are the \[ \] (literal square brackets) around the IPv6 part -- the Host: value actually does not contain them. Hence it fails to match any IPv6 address.
In my local installation I removed the source of the problem by adding question marks after the \[ and \], but of course it'd be better if it could be fixed properly in the code base.
I encountered this problem in a django 1.3.7 install, but checked the github (https://github.com/django/django/blob/c250f9c99b59bb011dae9bc97783458621462b65/django/http/request.py) to confirm that this problem hasn't changed.
Let me know if you need any additional information.
Change History (3)
comment:1 by , 10 years ago
comment:2 by , 10 years ago
Possibly! I came across this when trying to figure out why our provider's was flooded by e-mails -- some automatic script searching for vulnerabilities tried out all sorts of addresses, and because of the mis-matching host_validation_re Django sent one e-mail to me for each request -- I wouldn't say it was totally wrong to raise SuspiciousOperation exceptions in this case (it was a suspicious operation), but there should be some way to prevent just this kind of exception to be e-mailed to the admin, without having to disable all Exception mails (according to the django logging documentation it should be possible to deal with sub-categories of SuspiciousOperation, but the code in http/request.py only raises SuspiciousOperation(), so I can't see how you'd filter out just the mismatches to the Host: validation). Otherwise this can result in a (not even intentional) denial of service...
comment:3 by , 10 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
The issue about exception differentiation has been addressed in #19866 (the fix is in Django 1.6).
I find a bit strange that your Host value doesn't contain the brackets (the RFC requires them, http://tools.ietf.org/html/rfc3986#section-3.2.2).
Is it the client who didn't set the brackets?