Opened 8 years ago

Last modified 8 years ago

#27379 closed Bug

Django violates RFC7230 when handling requests. — at Version 1

Reported by: Stavros Korokithakis Owned by: nobody
Component: HTTP handling Version: 1.10
Severity: Normal Keywords:
Cc: Florian Apolloner, rene@… Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Stavros Korokithakis)

For a request coming in with an absolute URI and a different host header, Django still uses the Host header value to service the request. RFC 7230 specifies:

If the request-target is in absolute-form, the effective request URI is the same as the request-target.

(https://tools.ietf.org/html/rfc7230#section-5.5)

Thus, if a request comes in where the host header is different from the host in the absolute URI, Django should use the absolute URI, rather than the host value.

This is a problem when a request comes in looking like:

GET https://valid.hostname/ HTTP/1.1
Host: invalid.hostname

Django currently fails this as a violation of ALLOWED_HOSTS, but it shouldn't. Granted, we only see this in attacks, but nginx passes these requests through (because it should) and Django fails them because of the wonky host.

Change History (1)

comment:1 by Stavros Korokithakis, 8 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top