ALLOWED_HOSTS setting is done in the wrong place, should be in a custom middleware
|Reported by:||mark0978||Owned by:||collinanderson|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Right now ALLOWED_HOST checking is done in Request.get_host() which is called by CommonMiddleware. And then called again in fix_location_header(request, response) which means it is impossible to redirect an attacker to fbi.gov and at the same time record their attack because on a redirect get_host is called twice!
Raising a suspicious operation just does not belong in Request.get_host(), it really isn't part of the function that gives you the host back, it is something you do after you get the host information.
This is what I've had to write to work around this problem:
class CommonMiddleware(DjangoCommonMiddleware): """ In an effort to stop the deluge of ALLOWED_HOSTS emails sent at our software by very stupid pentesters, I have decided to record what they are doing, and then send them to the fbi.gov site (out of spite). It shall be interesting to see if they actually figure it out or not. (But right now I can't do that because of limitations within Django""" def process_request(self, request): def get_client_ip(request): x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR') if x_forwarded_for: ip = x_forwarded_for.split(',') else: ip = request.META.get('REMOTE_ADDR') return ip try: return super(CommonMiddleware, self).process_request(request) except SuspiciousOperation as xcpt: if 'ALLOWED_HOSTS' in str(xcpt): # We try three options, in order of decreasing preference. if settings.USE_X_FORWARDED_HOST and ( 'HTTP_X_FORWARDED_HOST' in request.META): host = request.META['HTTP_X_FORWARDED_HOST'] elif 'HTTP_HOST' in request.META: host = request.META['HTTP_HOST'] else: # Reconstruct the host using the algorithm from PEP 333. host = request.META['SERVER_NAME'] server_port = str(request.META['SERVER_PORT']) if server_port != ('443' if request.is_secure() else '80'): host = '%s:%s' % (host, server_port) obj = AllowedHostViolation.objects.create( host_attacked=host, url_attacked=request.get_full_path(), attacker=get_client_ip(request) ) response = HttpResponse("You were hoping to have breached security!" " Not today though!" " Now smile for the camera, because you've been busted!\n", content_type='application/text', status=418) response.allowed_host_violation = True return response raise def process_response(self, request, response): """ Have to also do this to keep it from throwing another Suspicious Operation """ if response.allowed_host_violation: return response return super(CommonMiddleware, self).process_response(request, response)
This bug is also present in 1.6 but in that case you get a differentiated Exception thrown. You still can't return a HttpResponseRedirect to send them all to fbi.gov though because the logic is in the wrong place.
Change History (7)
comment:1 Changed 7 months ago by collinanderson
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
comment:5 Changed 7 months ago by collinanderson
- Has patch set
- Owner changed from nobody to collinanderson
- Status changed from new to assigned
comment:6 Changed 7 months ago by Collin Anderson <cmawebsite@…>
- Resolution set to fixed
- Status changed from assigned to closed