Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#25099 closed Cleanup/optimization (fixed)

Cleanup HttpRequest representations in error reporting

Reported by: Vlastimil Zíma Owned by: Vlastimil Zíma
Component: Core (Other) Version: dev
Severity: Release blocker Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Since simplification of HttpRequest.__repr__ in #12098. The method build_request_repr is not used anywhere in the django.http where is defined and is only used for representation of request in error emails. But even that usage is excesive. In HTML version, the request details are printed under the traceback and so it is useless to repeat the full request details in local variables of every frame. The text version of the email is generated separately, despite the fact that ExceptionReporter provides get_traceback_text method which returns text content descibing the error.

Ticket created on recommendation by timgraham from discussion in https://github.com/django/django/pull/4947 for related ticket #22990.

Attachments (1)

25099-regress-test.diff (585 bytes ) - added by Tim Graham 9 years ago.

Download all attachments as: .zip

Change History (15)

comment:1 by Vlastimil Zíma, 9 years ago

Owner: changed from nobody to Vlastimil Zíma
Status: newassigned

comment:2 by Tim Graham, 9 years ago

Has patch: set
Triage Stage: UnreviewedAccepted

comment:3 by Tim Graham, 9 years ago

Summary: Cleanup HttpRequest representationsCleanup HttpRequest representations in error reporting
Triage Stage: AcceptedReady for checkin
Version: 1.8master

comment:4 by Tim Graham <timograham@…>, 9 years ago

Resolution: fixed
Status: assignedclosed

In 8f8c54f:

Fixed #25099 -- Cleaned up HttpRequest representations in error reporting.

comment:5 by Tim Graham, 9 years ago

Has patch: unset
Resolution: fixed
Severity: NormalRelease blocker
Status: closednew
Triage Stage: Ready for checkinAccepted

Unfortunately, part of the changes here cause the AdminEmailHandler to crash on requests with invalid HTTP hosts (regression test attached). vzima, do you have time to take a look?

by Tim Graham, 9 years ago

Attachment: 25099-regress-test.diff added

comment:6 by Vlastimil Zíma, 9 years ago

Status: newassigned

I'll try to look at it.

comment:7 by Vlastimil Zíma, 9 years ago

This is an interesting error. The problem is caused by the fact that allowed hosts are checked inside HttpRequest.get_host() which makes this function completely unusable in case of disallowed host. Among others it is used in HttpRequest.get_absolute_url() which is used to provide full URL in exception reports. The problem was hidden before, because exception reports are handled after the validation of the HTTP host, so the error was not triggered.

Quick and dirty solution would most likely be addition of extra argument to the HttpRequest.get_host() method to suppress validation against the ALLOWED_HOSTS.

But I'm puzzled by the fact that allowed hosts are validated in HttpRequest.get_host() method and not explicitely. I even have a suspicion that a request with disallowed host can be handled in cases where middlewares which uses get_host() method, such as CommonMiddleware, are disabled.

comment:8 by Carl Meyer, 9 years ago

Allowed hosts are validated in get_host() specifically in order to enable the latter possibility: we didn't want to enforce use of ALLOWED_HOSTS on a site which never made use of the Host header at all. If the Host header is not in fact used, then a spoofed Host header has no effect, and there is no concern.

Rather than adding a new argument to get_host(), I'd prefer to introduce a new private _get_raw_host() or similar, which could be called within get_host() too. I guess that's needed (as opposed to just getting the raw Host direct from request.META in order to handle X-Forwarded-Host et al.

comment:9 by Vlastimil Zíma, 9 years ago

Patch is in PR https://github.com/django/django/pull/5228

I find out the bug is not a regression. The problem was there before (tested in 1.8.4) but it manifested only if include_html was enabled.

I based the fix on carljm's proposal, but apart from _get_raw_host() I had to add also get_raw_uri() method to provide alternative for build_absolute_uri() which was used in the template.

comment:10 by Vlastimil Zíma, 9 years ago

Has patch: set

comment:11 by Tim Graham, 9 years ago

Triage Stage: AcceptedReady for checkin

comment:12 by Tim Graham <timograham@…>, 9 years ago

Resolution: fixed
Status: assignedclosed

In cf29b6b5:

Fixed #25099 -- Fixed crash in AdminEmailHandler on DisallowedHost.

comment:13 by Tim Graham <timograham@…>, 9 years ago

In 071af825:

Refs #25099 -- Added removal of build_request_repr() to 1.9 release notes.

comment:14 by Tim Graham <timograham@…>, 9 years ago

In 428164fc:

[1.9.x] Refs #25099 -- Added removal of build_request_repr() to 1.9 release notes.

Backport of 071af825398bab08246aa28c227514ed37cf4244 from master

Note: See TracTickets for help on using tickets.
Back to Top