Re: [Django] #32578: Handle request.get_host() raising DisallowedHost in CsrfViewMiddleware._origin_verified()

2021-03-25 Thread Django 
#32578: Handle request.get_host() raising DisallowedHost in
CsrfViewMiddleware._origin_verified()
-+-
 Reporter:  Chris Jerdonek   |Owner:  Chris
 |  Jerdonek
 Type:  Bug  |   Status:  closed
Component:  CSRF |  Version:  dev
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Accepted
  CsrfViewMiddleware,DisallowedHost  |
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  1|UI/UX:  0
-+-
Changes (by Mariusz Felisiak ):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"ff514309e178e3955012050ead9b8fc66dc21a5b" ff514309]:
 {{{
 #!CommitTicketReference repository=""
 revision="ff514309e178e3955012050ead9b8fc66dc21a5b"
 Fixed #32578 -- Fixed crash in CsrfViewMiddleware when a request with
 Origin header has an invalid host.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.f254baac50ece2addf6a9827b4d5eddb%40djangoproject.com.

Re: [Django] #32578: Handle request.get_host() raising DisallowedHost in CsrfViewMiddleware._origin_verified()

2021-03-25 Thread Django 
#32578: Handle request.get_host() raising DisallowedHost in
CsrfViewMiddleware._origin_verified()
-+-
 Reporter:  Chris Jerdonek   |Owner:  Chris
 |  Jerdonek
 Type:  Bug  |   Status:  assigned
Component:  CSRF |  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
  CsrfViewMiddleware,DisallowedHost  |
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  1|UI/UX:  0
-+-
Changes (by Chris Jerdonek):

 * has_patch:  0 => 1


Comment:

 PR: https://github.com/django/django/pull/14179

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.6ddd5ee0b208daa29ae251383dae5fa7%40djangoproject.com.

Re: [Django] #32578: Handle request.get_host() raising DisallowedHost in CsrfViewMiddleware._origin_verified()

2021-03-24 Thread Django 
#32578: Handle request.get_host() raising DisallowedHost in
CsrfViewMiddleware._origin_verified()
-+-
 Reporter:  Chris Jerdonek   |Owner:  Chris
 |  Jerdonek
 Type:  Bug  |   Status:  assigned
Component:  CSRF |  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
  CsrfViewMiddleware,DisallowedHost  |
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  1|UI/UX:  0
-+-
Changes (by Chris Jerdonek):

 * owner:  nobody => Chris Jerdonek
 * status:  new => assigned


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.1b67dc872798115aba9a2a4e26f62813%40djangoproject.com.

Re: [Django] #32578: Handle request.get_host() raising DisallowedHost in CsrfViewMiddleware._origin_verified()

2021-03-21 Thread Django 
#32578: Handle request.get_host() raising DisallowedHost in
CsrfViewMiddleware._origin_verified()
-+-
 Reporter:  Chris Jerdonek   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
  CsrfViewMiddleware,DisallowedHost  |
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  1|UI/UX:  0
-+-

Comment (by Mariusz Felisiak):

 Replying to [comment:6 Chris Jerdonek]:
 > It might be good to fix `_get_GET_no_csrf_cookie_request()` so that the
 method is indeed set to `GET`.

 Agreed, [https://github.com/django/django/pull/14166 PR].

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.ef6c3699d7286e4bef70d64b358b70f7%40djangoproject.com.

Re: [Django] #32578: Handle request.get_host() raising DisallowedHost in CsrfViewMiddleware._origin_verified()

2021-03-21 Thread Django 
#32578: Handle request.get_host() raising DisallowedHost in
CsrfViewMiddleware._origin_verified()
-+-
 Reporter:  Chris Jerdonek   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
  CsrfViewMiddleware,DisallowedHost  |
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  1|UI/UX:  0
-+-

Comment (by Chris Jerdonek):

 > Test crashes because method is not set in this case. I updated attached
 test to use the POST method.

 It might be good to fix `_get_GET_no_csrf_cookie_request()` so that the
 method is indeed set to `GET`.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.fb349aa34249beb67f3e92d2a218c7c9%40djangoproject.com.

Re: [Django] #32578: Handle request.get_host() raising DisallowedHost in CsrfViewMiddleware._origin_verified()

2021-03-21 Thread Django 
#32578: Handle request.get_host() raising DisallowedHost in
CsrfViewMiddleware._origin_verified()
-+-
 Reporter:  Chris Jerdonek   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
  CsrfViewMiddleware,DisallowedHost  |
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  1|UI/UX:  0
-+-

Comment (by Mariusz Felisiak):

 Replying to [comment:4 Chris Jerdonek]:
 > Thanks, Mariusz. However, do you know for sure that's testing the right
 code path? `_origin_verified()` only gets called when `if request.method
 not in ('GET', 'HEAD', 'OPTIONS', 'TRACE')`, but the test appears to be
 `GET`. I could be wrong though since my observation is based on inspection
 rather than running the test.

 Test crashes because `method` is not set in this case. I updated attached
 test to use the `POST` method.
 
 Replying to [comment:2 Tim Graham]:
 > It might be better to perform host validation elsewhere in Django as
 suggested in #27575 so that DisallowedHost doesn't need to be caught
 everywhere.

 This can be tricky, so I'd fix this case independently and discuss the
 options in #27575.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.a01f7ae061eb61c5cdd6e25bfbee82c4%40djangoproject.com.

Re: [Django] #32578: Handle request.get_host() raising DisallowedHost in CsrfViewMiddleware._origin_verified()

2021-03-21 Thread Django 
#32578: Handle request.get_host() raising DisallowedHost in
CsrfViewMiddleware._origin_verified()
-+-
 Reporter:  Chris Jerdonek   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
  CsrfViewMiddleware,DisallowedHost  |
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  1|UI/UX:  0
-+-
Changes (by Mariusz Felisiak):

 * Attachment "32578.diff" added.

 Regression test.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.fc5b82b3262b4c4dd607f299b766ea33%40djangoproject.com.

Re: [Django] #32578: Handle request.get_host() raising DisallowedHost in CsrfViewMiddleware._origin_verified()

2021-03-21 Thread Django 
#32578: Handle request.get_host() raising DisallowedHost in
CsrfViewMiddleware._origin_verified()
-+-
 Reporter:  Chris Jerdonek   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
  CsrfViewMiddleware,DisallowedHost  |
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  1|UI/UX:  0
-+-

Comment (by Chris Jerdonek):

 Thanks, Mariusz. However, do you know for sure that's testing the right
 code path? `_origin_verified()` only gets called when `if request.method
 not in ('GET', 'HEAD', 'OPTIONS', 'TRACE')`, but the test appears to be
 `GET`. I could be wrong though since my observation is based on inspection
 rather than running the test.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.f993e6198c2f21c8c0f5bf0e86fc58b0%40djangoproject.com.

Re: [Django] #32578: Handle request.get_host() raising DisallowedHost in CsrfViewMiddleware._origin_verified()

2021-03-21 Thread Django 
#32578: Handle request.get_host() raising DisallowedHost in
CsrfViewMiddleware._origin_verified()
-+-
 Reporter:  Chris Jerdonek   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  CSRF |  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
  CsrfViewMiddleware,DisallowedHost  |
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  1|UI/UX:  0
-+-
Changes (by Mariusz Felisiak):

 * type:  Uncategorized => Bug
 * easy:  0 => 1
 * stage:  Unreviewed => Accepted


Comment:

 Thanks for the report. I attached a test.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.414a4e6b9bb0fed28c3e46060edd943d%40djangoproject.com.

Re: [Django] #32578: Handle request.get_host() raising DisallowedHost in CsrfViewMiddleware._origin_verified()

2021-03-21 Thread Django 
#32578: Handle request.get_host() raising DisallowedHost in
CsrfViewMiddleware._origin_verified()
-+-
 Reporter:  Chris Jerdonek   |Owner:  nobody
 Type:  Uncategorized|   Status:  new
Component:  CSRF |  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:
  CsrfViewMiddleware,DisallowedHost  |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak):

 * Attachment "32578.diff" added.

 Regression test.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.b677602acef2abfe39f4757c63185979%40djangoproject.com.

Re: [Django] #32578: Handle request.get_host() raising DisallowedHost in CsrfViewMiddleware._origin_verified()

2021-03-21 Thread Django 
#32578: Handle request.get_host() raising DisallowedHost in
CsrfViewMiddleware._origin_verified()
-+-
 Reporter:  Chris Jerdonek   |Owner:  nobody
 Type:  Uncategorized|   Status:  new
Component:  CSRF |  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:
  CsrfViewMiddleware,DisallowedHost  |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Chris Jerdonek):

 Another option would be for `get_host()` to accept an argument that causes
 it to return e.g. `None` on a disallowed host instead of raising
 `DisallowedHost`. That would make people more aware of that possibility
 and give callers another option aside from a try-except for handling that
 case.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.51c9316e0ef88464fd29e725803be338%40djangoproject.com.

Re: [Django] #32578: Handle request.get_host() raising DisallowedHost in CsrfViewMiddleware._origin_verified()

2021-03-21 Thread Django 
#32578: Handle request.get_host() raising DisallowedHost in
CsrfViewMiddleware._origin_verified()
-+-
 Reporter:  Chris Jerdonek   |Owner:  nobody
 Type:  Uncategorized|   Status:  new
Component:  CSRF |  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:
  CsrfViewMiddleware,DisallowedHost  |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Tim Graham):

 It might be better to perform host validation elsewhere in Django as
 suggested in #27575 so that `DisallowedHost` doesn't need to be caught
 everywhere.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.2d8c68329e5203f9b044a97996e446f2%40djangoproject.com.

[Django] #32578: Handle request.get_host() raising DisallowedHost in CsrfViewMiddleware._origin_verified()

2021-03-21 Thread Django 
#32578: Handle request.get_host() raising DisallowedHost in
CsrfViewMiddleware._origin_verified()
-+-
   Reporter:  Chris  |  Owner:  nobody
  Jerdonek   |
   Type: | Status:  new
  Uncategorized  |
  Component:  CSRF   |Version:  dev
   Severity:  Normal |   Keywords:
   Triage Stage: |  CsrfViewMiddleware,DisallowedHost
  Unreviewed |  Has patch:  0
Needs documentation:  0  |Needs tests:  0
Patch needs improvement:  0  |  Easy pickings:  0
  UI/UX:  0  |
-+-
 Currently, on this line, `CsrfViewMiddleware._origin_verified()` doesn't
 handle `request.get_host()` raising `DisallowedHost`:
 
https://github.com/django/django/blob/41e6b2a3c5e723256506b9ff49437d52a1f3bf43/django/middleware/csrf.py#L229-L231

 Since Django was previously fixed to handle `request.get_host()` raising
 `DisallowedHost` elsewhere in `CsrfViewMiddleware.process_view()` (see
 ticket #28693), it seems like it should be handled here, too.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/052.07ec2d9414bf3ae8d016dd4a34a4dc04%40djangoproject.com.