#25099 closed Cleanup/optimization (fixed)
Cleanup HttpRequest representations in error reporting
Reported by: | Vlastimil Zíma | Owned by: | Vlastimil Zíma |
---|---|---|---|
Component: | Core (Other) | Version: | dev |
Severity: | Release blocker | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Since simplification of HttpRequest.__repr__
in #12098. The method build_request_repr
is not used anywhere in the django.http
where is defined and is only used for representation of request in error emails. But even that usage is excesive. In HTML version, the request details are printed under the traceback and so it is useless to repeat the full request details in local variables of every frame. The text version of the email is generated separately, despite the fact that ExceptionReporter
provides get_traceback_text
method which returns text content descibing the error.
Ticket created on recommendation by timgraham from discussion in https://github.com/django/django/pull/4947 for related ticket #22990.
Attachments (1)
Change History (15)
comment:1 by , 9 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 9 years ago
Has patch: | set |
---|---|
Triage Stage: | Unreviewed → Accepted |
comment:3 by , 9 years ago
Summary: | Cleanup HttpRequest representations → Cleanup HttpRequest representations in error reporting |
---|---|
Triage Stage: | Accepted → Ready for checkin |
Version: | 1.8 → master |
comment:4 by , 9 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
comment:5 by , 9 years ago
Has patch: | unset |
---|---|
Resolution: | fixed |
Severity: | Normal → Release blocker |
Status: | closed → new |
Triage Stage: | Ready for checkin → Accepted |
Unfortunately, part of the changes here cause the AdminEmailHandler
to crash on requests with invalid HTTP hosts (regression test attached). vzima, do you have time to take a look?
by , 9 years ago
Attachment: | 25099-regress-test.diff added |
---|
comment:7 by , 9 years ago
This is an interesting error. The problem is caused by the fact that allowed hosts are checked inside HttpRequest.get_host()
which makes this function completely unusable in case of disallowed host. Among others it is used in HttpRequest.get_absolute_url()
which is used to provide full URL in exception reports. The problem was hidden before, because exception reports are handled after the validation of the HTTP host, so the error was not triggered.
Quick and dirty solution would most likely be addition of extra argument to the HttpRequest.get_host()
method to suppress validation against the ALLOWED_HOSTS.
But I'm puzzled by the fact that allowed hosts are validated in HttpRequest.get_host()
method and not explicitely. I even have a suspicion that a request with disallowed host can be handled in cases where middlewares which uses get_host()
method, such as CommonMiddleware
, are disabled.
comment:8 by , 9 years ago
Allowed hosts are validated in get_host()
specifically in order to enable the latter possibility: we didn't want to enforce use of ALLOWED_HOSTS
on a site which never made use of the Host
header at all. If the Host
header is not in fact used, then a spoofed Host
header has no effect, and there is no concern.
Rather than adding a new argument to get_host()
, I'd prefer to introduce a new private _get_raw_host()
or similar, which could be called within get_host()
too. I guess that's needed (as opposed to just getting the raw Host direct from request.META
in order to handle X-Forwarded-Host
et al.
comment:9 by , 9 years ago
Patch is in PR https://github.com/django/django/pull/5228
I find out the bug is not a regression. The problem was there before (tested in 1.8.4) but it manifested only if include_html
was enabled.
I based the fix on carljm's proposal, but apart from _get_raw_host()
I had to add also get_raw_uri()
method to provide alternative for build_absolute_uri()
which was used in the template.
comment:10 by , 9 years ago
Has patch: | set |
---|
comment:11 by , 9 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
In 8f8c54f: