#19867: get_host shouldn't apply validation to server-set values
-----------------------------------+------------------------------------
Reporter: anonymous | Owner: nobody
Type: Bug | Status: new
Component: HTTP handling | Version: 1.4
Severity: Normal | Resolution:
Keywords: get_host security | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+------------------------------------
Comment (by akaariai):
There must be a bit stronger evidence that the ServerName can be trusted.
Otherwise there will be need to do yet another host spoofing security fix.
Also, turning down this protection for ServerName means users will need to
configure both the frontend server and ALLOWED_HOSTS correctly to actually
get any protection. I know the configuration I started with would allow
ServerName spoofing (Apache without virtualhost). I believe many old
configurations were done like that, not least because Django's docs said
that was the right thing:
https://docs.djangoproject.com/en/1.3/howto/deployment/modwsgi/
Requests without Host header should hopefully be somewhat rare. Any HTTP
1.1 client must include the Host header. Maybe waiting for some time to
see if this is more common problem would be a good idea?
--
Ticket URL: <https://code.djangoproject.com/ticket/19867#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
