#19867: get_host shouldn't apply validation to server-set values
-----------------------------------+------------------------------------
Reporter: anonymous | Owner: nobody
Type: Bug | Status: new
Component: HTTP handling | Version: 1.4
Severity: Normal | Resolution:
Keywords: get_host security | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+------------------------------------
Changes (by carljm):
* stage: Unreviewed => Accepted
Comment:
Thanks for the report! I agree that it isn't necessary to validate a host
value reconstructed from ``SERVER_NAME`` and ``SERVER_PORT`` (although, is
it possible that some misconfigured WSGI gateways might put something
untrusted into ``SERVER_NAME`` under some circumstance?).
Made a few comments on the pull request.
--
Ticket URL: <https://code.djangoproject.com/ticket/19867#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
