Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  ptone
 Type:  Bug  |   Status:  closed
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:  fixed
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+
Changes (by Preston Holmes ):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"d228c1192ed59ab0114d9eba82ac99df611652d2"]:
 {{{
 #!CommitTicketReference repository=""
 revision="d228c1192ed59ab0114d9eba82ac99df611652d2"
 Fixed #19866 -- Added security logger and return 400 for
 SuspiciousOperation.

 SuspiciousOperations have been differentiated into subclasses, and
 are now logged to a 'django.security.*' logger. SuspiciousOperations
 that reach django.core.handlers.base.BaseHandler will now return a 400
 instead of a 500.

 Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
 for review.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.ecb8eb0b8790bb410ddacf030fae6475%40djangoproject.com?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  ptone
 Type:  Bug  |   Status:  assigned
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by claudep):

 About the `patch_logger` functionality, note that I had proposed something
 similar (`capture_logging`) in #17958 with a slightly different
 implementation (using a `MemoryHandler` instead of a list). At first, I
 cannot say one is better than the other, but it might be worth
 considering.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.0396de464a48e60f137f958850e42c1c%40djangoproject.com?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  ptone
 Type:  Bug  |   Status:  assigned
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by ptone):

 @carljm - absolutely:

 https://github.com/django/django/pull/1207

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.499e0b406245da4bd8f335c22354c13a%40djangoproject.com?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  ptone
 Type:  Bug  |   Status:  assigned
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by carljm):

 @ptone Can you make a pull request for the branch to enable inline
 commenting?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.5ebbb55dda17f0227d0893c90d535052%40djangoproject.com?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  ptone
 Type:  Bug  |   Status:  assigned
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by ptone):

 So a near final patch is available here for review:

 https://github.com/ptone/django/compare/ticket/19866-susop

 @dstufft's feedback on passing the exc as extra_info was that people are
 not likely to bother with custom handlers - so the current approach uses a
 sub-logger with a matching name.

 The prior use of SuspiciousOperation varied in terms of how it was handled
 - in many cases it was handled outside of the base WSGI handler, and in
 other cases it made it up to the WSGI handler, where it was unhandled,
 triggering the unhandled exc code path and returning a 500 (the original
 issue of this ticket)

 This patch essentially does two things:

 It handles a SuspiciousOperation in the WSGI handler and returns a 400
 through a similar process as the 404 and 500 handlers, it was deemed not
 worthwhile to refactor this resolver branching heavily into something that
 references a dict or otherwise, as there were enough differences such that
 there would have been little net gain for increasing the indirection. To
 fully refactor this would involve URLresolver changes and should be done
 in a different patch.

 Other uses of SuspiciousOperation were being handled before reaching the
 WSGI handler, but there was no reporting of these to the user - this
 silent swallowing of potentially security related data is addressed in
 this patch by logging any SuspiciousOperation to a django.security logger.
 This is handled inside the init of SuspiciousOperation, because in a
 number of places SuspiciousOperation was not being handled with any
 specific behavior, and the "event" worth logging happens at the time the
 SuspiciousOperation is raised, not when it is handled. The base
 SuspiciousOperation has been differentiated into subclasses - this was
 done initially when the filtering was to be done by handlers, but remains
 as a way of matching the subclass to matched sub-logger (and can still be
 used in custom handlers).

 By default the handler for the security logger is mail-admins.  This is to
 preserve the existing behavior for those places where SuspOp would be
 caught in the WSGI handler, and because security related stuff should be
 loud by default - but this also means that situations that raised
 SuspiciousOperation, which were being silently caught in the past, will
 also now generate admin-mails.  There is a documentation example of how to
 silence logging associated with specific SuspiciousOperation subclasses.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.83d5c02e45ce78059168947a2de58521%40djangoproject.com?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  ptone
 Type:  Bug  |   Status:  assigned
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by carljm):

 Subclassing `SuspiciousOperation` for each case where it's used seems fine
 to me. I don't think we'd need `e.__name__` at the beginning of the log
 message (unless the message is otherwise unclear); I think we should pass
 on the exception itself as extra data along with the logged message,
 meaning that logging handlers and filters would have direct access to the
 exception itself.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  ptone
 Type:  Bug  |   Status:  assigned
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by ptone):

 One of the problematic things about the use of SuspiciousOperation, is
 that there is no way to get any specificity of event types.  If you care
 about some more than others, it you're stuck with parsing strings.

 Since we only raise this exception in relatively few places (I think I
 count 8), one idea would be to subclass SuspiciousOperation for each case,
 and have the logger put in e.__name__ at the beginning of the message, so
 there would at least be that.

 If we accept Alex's premise that logging should be bifurcated, into mild
 or oh-crap, which should SuspiciousOperation be.

 My inclination is to log SuspiciousOperation events as info/warning (I'd
 group those all below Error) and have people configure logging as needed.

 This does result in a change in behavior that should be strongly called
 out in the release notes, as any  suspicious operations in <=1.5 would be
 logged to monitoring tools that watch for 500s (ie sentry) and if we
 introduce a 400 response path that handles these exceptions, a new shim
 like the 404 middleware for raven will be needed to deliver these to
 sentry as well.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  ptone
 Type:  Bug  |   Status:  assigned
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+
Changes (by ptone):

 * owner:  nobody => ptone
 * status:  new => assigned


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by carljm):

 Replying to [comment:20 stavros]:
 > Correct me if I'm wrong, but won't sites just not work with
 `ALLOWED_HOSTS` set to the default of `[]`? Not that many people will be
 unaware that their site produces a 400 error with "Invalid host" all the
 time.

 I sympathize with this point of view (that's why it's currently a 500),
 but on the other hand - are people really launching sites and never once
 checking the site themselves to see whether it even works? Given the
 amount of fiddling that's often already necessary to get a site working in
 production (with static assets and whatnot), this seems pretty dubious to
 me.

 I guess we could do what was suggested above: make it a 500
 (`ImproperlyConfigured`, perhaps) if `ALLOWED_HOSTS` is empty when `DEBUG`
 is `False`, and a 400 if its non-empty but the request doesn't match.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by stavros):

 Correct me if I'm wrong, but won't sites just not work with
 `ALLOWED_HOSTS` set to the default of `[]`? Not that many people will be
 unaware that their site produces a 400 error with "Invalid host" all the
 time.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by joejasinski):

 The filter from tiwoc seemed to work as a work-around for now.  Thank you
 for the blog post and code example.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+
Changes (by net147):

 * cc: net147 (added)


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+
Changes (by tcx):

 * cc: tcx (added)


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+
Changes (by firass):

 * cc: firass (added)


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+
Changes (by jshuping):

 * cc: jshuping (added)


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by digimag@…):

 Quick idea: the 500 error could still be raised if the allowed hosts list
 is empty (because it is clearly a misconfiguration). But if the list is
 not empty, there is no reason why admins should be notified by e-mail. You
 can throw a more appropriate response (403 or 400 error page) and if you
 really want it, you can simply log this event.

 What do you think about it?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by tiwoc):

 If there's anyone interested in using the logging filter workaround, you
 can have a look at a [https://github.com/tiwoc/django-exceptionfilter-demo
 small example project] where SuspiciousOperation exceptions are filtered
 without modifying the Django source code, and my
 [http://www.tiwoc.de/blog/2013/03/django-prevent-email-notification-on-
 suspiciousoperation/ accompanying blog post].

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by russellm):

 #19946 was a duplicate. An informal straw poll on #django-social suggested
 there would be a bit of support for a quick turnaround 1.5.1 release to
 correct this problem before there was a lot of legacy code using the
 500-returning solution.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
-+
 Reporter:  tiwoc|Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  HTTP handling|  Version:  master
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+
Changes (by carljm):

 * severity:  Normal => Release blocker


Comment:

 This is a release blocker for 1.6. (I think an argument could be made to
 backport it for 1.5.1).

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
---+
 Reporter:  tiwoc  |Owner:  nobody
 Type:  Bug|   Status:  new
Component:  HTTP handling  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+

Comment (by carljm):

 Replying to [comment:9 tiwoc]:
 > I want to work around this issue until 1.6 is here. Is defining a
 logging filter that removes `SuspiciousOperation` exceptions (along the
 lines of the example for `CallbackFilter` from the
 
[https://docs.djangoproject.com/en/1.4/topics/logging/#django.utils.log.CallbackFilter
 logging docs]) the best way to do this?

 Yep, that's the right approach.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
---+
 Reporter:  tiwoc  |Owner:  nobody
 Type:  Bug|   Status:  new
Component:  HTTP handling  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+

Comment (by tiwoc):

 Sounds good to me!

 I want to work around this issue until 1.6 is here. Is defining a logging
 filter that removes `SuspiciousOperation` exceptions (along the lines of
 the example for `CallbackFilter` from the
 
[https://docs.djangoproject.com/en/1.4/topics/logging/#django.utils.log.CallbackFilter
 logging docs]) the best way to do this?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19866: SuspiciousOperation should not be answered with HTTP 500 (was: Spoofed host name (not in ALLOWED_HOSTS) should not be answered with HTTP 500)

[Django]

#19866: SuspiciousOperation should not be answered with HTTP 500
---+
 Reporter:  tiwoc  |Owner:  nobody
 Type:  Bug|   Status:  new
Component:  HTTP handling  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+

Comment (by carljm):

 Editing the title to reflect the modified scope here (we want to deal with
 all `SuspiciousOperation` better, not just `ALLOWED_HOSTS`).

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.