#19866: SuspiciousOperation should not be answered with HTTP 500
---------------------------------+------------------------------------
Reporter: tiwoc | Owner: nobody
Type: Bug | Status: new
Component: HTTP handling | Version: master
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+------------------------------------
Comment (by carljm):
Replying to [comment:20 stavros]:
> Correct me if I'm wrong, but won't sites just not work with
`ALLOWED_HOSTS` set to the default of `[]`? Not that many people will be
unaware that their site produces a 400 error with "Invalid host" all the
time.
I sympathize with this point of view (that's why it's currently a 500),
but on the other hand - are people really launching sites and never once
checking the site themselves to see whether it even works? Given the
amount of fiddling that's often already necessary to get a site working in
production (with static assets and whatnot), this seems pretty dubious to
me.
I guess we could do what was suggested above: make it a 500
(`ImproperlyConfigured`, perhaps) if `ALLOWED_HOSTS` is empty when `DEBUG`
is `False`, and a 400 if its non-empty but the request doesn't match.
--
Ticket URL: <https://code.djangoproject.com/ticket/19866#comment:21>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
