#25099 closed Cleanup/optimization (fixed)
Cleanup HttpRequest representations in error reporting
| Reported by: | Vlastimil Zíma | Owned by: | Vlastimil Zíma |
|---|---|---|---|
| Component: | Core (Other) | Version: | dev |
| Severity: | Release blocker | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Since simplification of HttpRequest.__repr__ in #12098. The method build_request_repr is not used anywhere in the django.http where is defined and is only used for representation of request in error emails. But even that usage is excesive. In HTML version, the request details are printed under the traceback and so it is useless to repeat the full request details in local variables of every frame. The text version of the email is generated separately, despite the fact that ExceptionReporter provides get_traceback_text method which returns text content descibing the error.
Ticket created on recommendation by timgraham from discussion in https://github.com/django/django/pull/4947 for related ticket #22990.
Attachments (1)
Change History (15)
comment:1 by , 9 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 9 years ago
| Has patch: | set |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
comment:3 by , 9 years ago
| Summary: | Cleanup HttpRequest representations → Cleanup HttpRequest representations in error reporting |
|---|---|
| Triage Stage: | Accepted → Ready for checkin |
| Version: | 1.8 → master |
comment:4 by , 9 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
comment:5 by , 9 years ago
| Has patch: | unset |
|---|---|
| Resolution: | fixed |
| Severity: | Normal → Release blocker |
| Status: | closed → new |
| Triage Stage: | Ready for checkin → Accepted |
Unfortunately, part of the changes here cause the AdminEmailHandler to crash on requests with invalid HTTP hosts (regression test attached). vzima, do you have time to take a look?
by , 9 years ago
| Attachment: | 25099-regress-test.diff added |
|---|
comment:7 by , 9 years ago
This is an interesting error. The problem is caused by the fact that allowed hosts are checked inside HttpRequest.get_host() which makes this function completely unusable in case of disallowed host. Among others it is used in HttpRequest.get_absolute_url() which is used to provide full URL in exception reports. The problem was hidden before, because exception reports are handled after the validation of the HTTP host, so the error was not triggered.
Quick and dirty solution would most likely be addition of extra argument to the HttpRequest.get_host() method to suppress validation against the ALLOWED_HOSTS.
But I'm puzzled by the fact that allowed hosts are validated in HttpRequest.get_host() method and not explicitely. I even have a suspicion that a request with disallowed host can be handled in cases where middlewares which uses get_host() method, such as CommonMiddleware, are disabled.
comment:8 by , 9 years ago
Allowed hosts are validated in get_host() specifically in order to enable the latter possibility: we didn't want to enforce use of ALLOWED_HOSTS on a site which never made use of the Host header at all. If the Host header is not in fact used, then a spoofed Host header has no effect, and there is no concern.
Rather than adding a new argument to get_host(), I'd prefer to introduce a new private _get_raw_host() or similar, which could be called within get_host() too. I guess that's needed (as opposed to just getting the raw Host direct from request.META in order to handle X-Forwarded-Host et al.
comment:9 by , 9 years ago
Patch is in PR https://github.com/django/django/pull/5228
I find out the bug is not a regression. The problem was there before (tested in 1.8.4) but it manifested only if include_html was enabled.
I based the fix on carljm's proposal, but apart from _get_raw_host() I had to add also get_raw_uri() method to provide alternative for build_absolute_uri() which was used in the template.
comment:10 by , 9 years ago
| Has patch: | set |
|---|
comment:11 by , 9 years ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
In 8f8c54f: