Re: [Django] #19987: Basic host validation performed even when DEBUG=True

[Django]

#19987: Basic host validation performed even when DEBUG=True
-+-
 Reporter:  Will Hardy   |Owner:  nobody
 Type:  Bug  |   Status:  closed
Component:  HTTP handling|  Version:  master
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
Has patch:  1|  checkin
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  1|  Patch needs improvement:  0
 |UI/UX:  0
-+-
Changes (by Tim Graham ):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 In [changeset:"1c3c21b38d154eff0286c194711dced2ac39dd3d"]:
 {{{
 #!CommitTicketReference repository=""
 revision="1c3c21b38d154eff0286c194711dced2ac39dd3d"
 Fixed #19987 -- Disabled host validation when DEBUG=True.

 The documentation promises that host validation is disabled when
 DEBUG=True, that all hostnames are accepted. Domains not compliant with
 RFC 1034/1035 were however being validated, this validation has now been
 removed when DEBUG=True.

 Additionally, when DEBUG=False a more detailed SuspiciousOperation
 exception message is provided when host validation fails because the
 hostname is not RFC 1034/1035 compliant.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/068.6e82b2cd081741191936f79078e47786%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19987: Basic host validation performed even when DEBUG=True

[Django]

#19987: Basic host validation performed even when DEBUG=True
-+-
 Reporter:  Will Hardy   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  HTTP handling|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
Has patch:  1|  checkin
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  1|  Patch needs improvement:  0
 |UI/UX:  0
-+-
Changes (by FrankBie):

 * has_patch:  0 => 1
 * easy:  0 => 1
 * stage:  Accepted => Ready for checkin


Comment:

 Patch and the Test for Patch are valid and ready to go

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19987: Basic host validation performed even when DEBUG=True

[Django]

#19987: Basic host validation performed even when DEBUG=True
---+
 Reporter:  Will Hardy |Owner:  nobody
 Type:  Bug|   Status:  new
Component:  HTTP handling  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+

Comment (by Will Hardy):

 Because the documentation promises that hostname validation is disabled
 when DEBUG=True, I wrote a patch that does this completely (ie for invalid
 hostnames too). But I also add an explanation to the `SuspiciousOperation`
 exception message as to why an RFC 1034/5 invalid hostname was rejected.

 https://github.com/django/django/pull/996

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19987: Basic host validation performed even when DEBUG=True

[Django]

#19987: Basic host validation performed even when DEBUG=True
---+
 Reporter:  Will Hardy |Owner:  nobody
 Type:  Bug|   Status:  new
Component:  HTTP handling  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+

Comment (by Will Hardy):

 I thought I might take a few minutes to help out, even if only by writing
 a test.

 Which approach do you want to take?
  * skip all hostname validation when `ALLOWED_HOSTS = ["*"]`
  * make sure a normal `SuspiciousOperation` exception is raised (ie no
 exception when trying to display debug response)
  * add a different suggestion in exception message for invalid hostnames
 (ie invalid, but matched in `ALLOWED_HOSTS`)

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19987: Basic host validation performed even when DEBUG=True

[Django]

#19987: Basic host validation performed even when DEBUG=True
---+
 Reporter:  Will Hardy |Owner:  nobody
 Type:  Bug|   Status:  new
Component:  HTTP handling  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+
Changes (by aaugustin):

 * component:  Uncategorized => HTTP handling
 * type:  Uncategorized => Bug


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19987: Basic host validation performed even when DEBUG=True

[Django]

#19987: Basic host validation performed even when DEBUG=True
---+
 Reporter:  Will Hardy |Owner:  nobody
 Type:  Uncategorized  |   Status:  new
Component:  Uncategorized  |  Version:  master
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Accepted
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+
Changes (by jacob):

 * needs_better_patch:   => 0
 * version:  1.5 => master
 * needs_docs:   => 0
 * needs_tests:   => 0
 * stage:  Unreviewed => Accepted


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.