#19867: get_host shouldn't apply validation to server-set values -----------------------------------+------------------------------------ Reporter: anonymous | Owner: nobody Type: Bug | Status: new Component: HTTP handling | Version: 1.4 Severity: Normal | Resolution: Keywords: get_host security | Triage Stage: Accepted Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -----------------------------------+------------------------------------
Comment (by akaariai): There must be a bit stronger evidence that the ServerName can be trusted. Otherwise there will be need to do yet another host spoofing security fix. Also, turning down this protection for ServerName means users will need to configure both the frontend server and ALLOWED_HOSTS correctly to actually get any protection. I know the configuration I started with would allow ServerName spoofing (Apache without virtualhost). I believe many old configurations were done like that, not least because Django's docs said that was the right thing: https://docs.djangoproject.com/en/1.3/howto/deployment/modwsgi/ Requests without Host header should hopefully be somewhat rare. Any HTTP 1.1 client must include the Host header. Maybe waiting for some time to see if this is more common problem would be a good idea? -- Ticket URL: <https://code.djangoproject.com/ticket/19867#comment:4> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.