id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
32612	CSRF tests test_https_malformed_host and test_origin_malformed_host aren't testing what they should	Chris Jerdonek	nobody	"I noticed that [https://github.com/django/django/blob/a89e975caf69ffdbec527f9fe84824e73a7c9cac/tests/csrf_tests/tests.py#L308 test_https_malformed_host()] and [https://github.com/django/django/blob/a89e975caf69ffdbec527f9fe84824e73a7c9cac/tests/csrf_tests/tests.py#L322 test_origin_malformed_host()] right after it don't seem to be testing what they should.

In both cases, if you change `req.META['HTTP_HOST'] = '@malformed'` to use a well-formed host, then the test still passes.  This is because, unlike some of the other tests, it doesn't use `DEBUG=True` and check the reason for the 403. The request still results in a 403 because it lacks other needed info. 

For tests like this, a perhaps better approach would be for the test to make two identical requests, but differing only in the host: one with the host well-formed and one with it malformed, and checking that the well-formed one succeeds. That could be done e.g. with a helper function that accepts just the host. That would ensure that it's really testing the effect of a malformed host. (The `DEBUG=True` approach won't always distinguish things in general because code paths other than the intended one can result in the same ""reason"" string.)
"	Cleanup/optimization	closed	CSRF	3.1	Normal	invalid			Unreviewed	0	0	0	0	0	0