Cleanup HttpRequest representations in error reporting

[Vlastimil Zíma]

Since simplification of HttpRequest.__repr__ in #12098. The method build_request_repr is not used anywhere in the django.http where is defined and is only used for representation of request in error emails. But even that usage is excesive. In HTML version, the request details are printed under the traceback and so it is useless to repeat the full request details in local variables of every frame. The text version of the email is generated separately, despite the fact that ExceptionReporter provides get_traceback_text method which returns text content descibing the error.

Ticket created on recommendation by timgraham from discussion in ​https://github.com/django/django/pull/4947 for related ticket #22990.

[Tim Graham <timograham@…>]

In 8f8c54f:

Fixed #25099 -- Cleaned up HttpRequest representations in error reporting.

[Tim Graham]

Unfortunately, part of the changes here cause the AdminEmailHandler to crash on requests with invalid HTTP hosts (regression test attached). vzima, do you have time to take a look?

[Vlastimil Zíma]

I'll try to look at it.

[Vlastimil Zíma]

This is an interesting error. The problem is caused by the fact that allowed hosts are checked inside HttpRequest.get_host() which makes this function completely unusable in case of disallowed host. Among others it is used in HttpRequest.get_absolute_url() which is used to provide full URL in exception reports. The problem was hidden before, because exception reports are handled after the validation of the HTTP host, so the error was not triggered.

Quick and dirty solution would most likely be addition of extra argument to the HttpRequest.get_host() method to suppress validation against the ALLOWED_HOSTS.

But I'm puzzled by the fact that allowed hosts are validated in HttpRequest.get_host() method and not explicitely. I even have a suspicion that a request with disallowed host can be handled in cases where middlewares which uses get_host() method, such as CommonMiddleware, are disabled.

[Carl Meyer]

Allowed hosts are validated in get_host() specifically in order to enable the latter possibility: we didn't want to enforce use of ALLOWED_HOSTS on a site which never made use of the Host header at all. If the Host header is not in fact used, then a spoofed Host header has no effect, and there is no concern.

Rather than adding a new argument to get_host(), I'd prefer to introduce a new private _get_raw_host() or similar, which could be called within get_host() too. I guess that's needed (as opposed to just getting the raw Host direct from request.META in order to handle X-Forwarded-Host et al.

[Vlastimil Zíma]

Patch is in PR ​https://github.com/django/django/pull/5228

I find out the bug is not a regression. The problem was there before (tested in 1.8.4) but it manifested only if include_html was enabled.

I based the fix on carljm's proposal, but apart from _get_raw_host() I had to add also get_raw_uri() method to provide alternative for build_absolute_uri() which was used in the template.

[Tim Graham <timograham@…>]

In cf29b6b5:

Fixed #25099 -- Fixed crash in AdminEmailHandler on DisallowedHost.

[Tim Graham <timograham@…>]

In 071af825:

Refs #25099 -- Added removal of build_request_repr() to 1.9 release notes.

[Tim Graham <timograham@…>]

In 428164fc:

[1.9.x] Refs #25099 -- Added removal of build_request_repr() to 1.9 release notes.

Backport of 071af825398bab08246aa28c227514ed37cf4244 from master