#26037: HttpRequest.get_host() uses either HTTP_X_FORWARDED_HOST or
HTTP_X_FORWARDED_PORT => should use both
-------------------------------+--------------------------------------
Reporter: benoitbryon | Owner: nobody
Type: Bug | Status: new
Component: HTTP handling | Version: 1.9
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Comment (by mattrobenolt):
Hm, this is a bit tricky.
The HTTP_HOST header typically includes the port number as well, so I'd
expect X-Forwarded-Host to include this information.
So in my opinion, X-Forwarded-Host would supersede the use of X-Forwarded-
Port.
But in the real world, I've never actually seen this.
If I were doing this in nginx, I'd have a rule like:
{{{
proxy_set_header X-Forwarded-Host $host;
}}}
And this would give you the value of the HTTP_HOST header from the client,
which would already include the port number since this is what's sent
along from clients.
I guess the argument could be made that the value of X-Forwarded-Port, in
theory, could be used to override this? For the case of multiple proxies
or something.
But again, I've never seen this case in practice.
I'd vote to just document that X-Forwarded-Host takes priority over X
-Forwarded-Port imo. If someone needs some other crazy logic, it's not
hard to implement your own. I see this most often done in middlewares
anyways to mutate the META dict to coerce everything to behave as they
want.
Now technically, in theory, you can construct an HTTP request that doesn't
include the port number in the HTTP_HOST, but this is going against the
spec: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23
Given that the spec requires this, I think it's fair to assume that X
-Forwarded-Host should as well contain the port number.
Overall, this is only a problem if the port specified in X-Forwarded-Host
differed from what was passed through to X-Forwarded-Port, and in which
case, I can't think of when that would happen.
So I'm open to hearing a scenario where this may happen.
--
Ticket URL: <https://code.djangoproject.com/ticket/26037#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/069.5907ebde09927ace6fd767d50ca9b781%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
