id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
30091	Incorrect middleware ordering allows invalid HTTP_HOST header to cause CsrfViewMiddleware failure when using CSRF_USE_SESSIONS.	Mark Gregson	Carlton Gibson	"I've observed that when using CSRF_USE_SESSIONS = True and with SessionMiddleware correctly placed before CsrfViewMiddleware that a request with an invalid HTTP_HOST header raises an exception and, while preparing a response for this exception, the CsrfViewMiddleware raises an unhandled ImproperlyConfigured exception and an internal server error is returned to the browser. 

I expect that an HTTP 400 will be returned to the user for an invalid HTTP_HOST header and that the CsrfViewMiddleware will not raise an exception.

To reproduce, configure the application as above, set up a new hostname (one that is not in ALLOWED_HOSTS) pointing at the Django application (using the hosts file, for example), and then request that hostname."	Cleanup/optimization	closed	Documentation	dev	Normal	fixed	middleware		Accepted	1	0	0	0	0	0