Re: [Django] #9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts

2012-10-20 Thread Django 
#9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts
---+
 Reporter:  Artur  |Owner:  nobody
 Type:  Bug|   Status:  closed
Component:  HTTP handling  |  Version:  1.0
 Severity:  Normal |   Resolution:  wontfix
 Keywords: | Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+
Changes (by aaugustin):

 * status:  new => closed
 * resolution:   => wontfix


Comment:

 Django no longer interprets X-Forwarded-Host headers by default, for
 security reasons. See also #6880.

 Generally speaking this header isn't necessary if proxies under the
 owner's control are properly configured.

 So I'm going to close this ticket, essentially for the reasons given by
 Malcolm in comment 5.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts

2011-02-12 Thread Django 
#9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts
-+--
   Reporter:  Artur  | Owner:  nobody
 Status:  new| Milestone:
  Component:  HTTP handling  |   Version:  1.0   
 Resolution: |  Keywords:
   Triage Stage:  Accepted   | Has patch:  1 
Needs documentation:  0  |   Needs tests:  0 
Patch needs improvement:  1  |  
-+--

Comment (by aaugustin):

 The question here is "how to use `X-FORWARDED-HOST`?", but #6880 asks
 "should we use `X-FORWARDED-HOST` at all?" and contains a patch to not use
 it anymore. If this patch is applied, the problem discussed here vanishes.

 `get_host` is the only place in Django that uses the non-standard `X
 -FORWARDED-HOST` header. I think removing it is the correct way to go:
 - Like mtredinnick said, reverse proxies are supposed to do the rewrites
 both on the request and the response.
 - Developers with a weird proxy setup may write their own middleware to do
 tweak headers.
 - People using the remote address for geolocation are facing  very
 difficult problem, for which Django can not provide a generic solution.
 Consider the setup below: you would probably want the address of the
 Internet-facing proxy; how is Django supposed to find it in the list of 5
 IPs in `X-FORWARDED-HOST`?
 {{{
 user on private network -> internal proxy -> Internet-facing proxy ->
 load-balancer -> reverse proxy -> Django
 }}}

 Finally, even if a decent solution was found for this problem, there would
 still be a parallel issue with `is_secure` (see also #6548) as proxies can
 convert from HTTP to HTTPS and vice-versa. I do not know how that one
 could be resolved.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts

2010-02-25 Thread Django 
#9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts
+---
  Reporter:  Artur  | Owner:  nobody
Status:  new| Milestone:
 Component:  HTTP handling  |   Version:  1.0   
Resolution: |  Keywords:
 Stage:  Accepted   | Has_patch:  1 
Needs_docs:  0  |   Needs_tests:  0 
Needs_better_patch:  1  |  
+---
Comment (by louis):

 Ran into problem myself. Using django (1.1.1 final), mod_python, apache2
 and nginx (as proxy).
 The previous patch didn't work in my case but below did:
 {{{
 LINE 45:
 def get_host(self):
 """Returns the HTTP host using the environment or request
 headers."""
 # We try three options, in order of decreasing preference.
 if 'HTTP_X_FORWARDED_HOST' in self.META:
 host = self.META['HTTP_X_FORWARDED_HOST']
 host = host.split(',')[-1].strip()
 elif 'HTTP_HOST' in self.META:
 host = self.META['HTTP_HOST']
 host = host.split(',')[-1].strip()
 else:
 # Reconstruct the host using the algorithm from PEP 333.
 host = self.META['SERVER_NAME']
 host = host.split(',')[-1].strip()
 server_port = str(self.META['SERVER_PORT'])
 if server_port != (self.is_secure() and '443' or '80'):
 host = '%s:%s' % (host, server_port)
 return host
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts

2009-02-28 Thread Django 
#9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts
+---
  Reporter:  Artur  | Owner:  nobody
Status:  new| Milestone:
 Component:  HTTP handling  |   Version:  1.0   
Resolution: |  Keywords:
 Stage:  Accepted   | Has_patch:  1 
Needs_docs:  0  |   Needs_tests:  0 
Needs_better_patch:  1  |  
+---
Comment (by mtredinnick):

 We really shouldn't be using this header to compute redirects at all. if
 the hostname has been changed as part of the transmission process, it's up
 to the servers doing the changing to do rewrites on the way out as well.
 The best solution here is to ditch it altogether. Systems relying on this
 are arguably broken. Not holding my breath, though, since some people seem
 to like.

 Note, also, there was a huge thread about the complete lack of
 standardisation and variance in behaviour for the  X-FORWARDED-HOST header
 two or three years ago on django-dev. [http://groups.google.com/group
 /django-developers/browse_thread/thread/b3b2deb687a3e885 Here's one
 thread], although I have a memory there was another as well at some point.
 Unsurprising that it's confusing, since it's an "X-*" header (totally non-
 standard).

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts

2009-02-25 Thread Django 
#9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts
+---
  Reporter:  Artur  | Owner:  nobody
Status:  new| Milestone:
 Component:  HTTP handling  |   Version:  1.0   
Resolution: |  Keywords:
 Stage:  Accepted   | Has_patch:  1 
Needs_docs:  0  |   Needs_tests:  0 
Needs_better_patch:  1  |  
+---
Changes (by ericholscher):

  * stage:  Unreviewed => Accepted

Comment:

 I remember being bitten by this as well. Marking it as accepted because if
 some agents are forwarding these headers and it's breaking, we should
 probably take it into consideration.

 When searching for similar tickets, I found a ruby on rails ticket dealing
 with the same issues: http://dev.rubyonrails.org/ticket/3397

 It appears they are honoring the last host. It also seems to be happening
 when there are multiple proxies in front of Django.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts

2008-09-14 Thread Django 
#9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts
+---
  Reporter:  Artur  | Owner:  nobody
Status:  new| Milestone:
 Component:  HTTP handling  |   Version:  1.0   
Resolution: |  Keywords:
 Stage:  Unreviewed | Has_patch:  1 
Needs_docs:  0  |   Needs_tests:  0 
Needs_better_patch:  1  |  
+---
Comment (by Artur):

 Fixed directory hierarchy information in patch

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts

2008-09-14 Thread Django 
#9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts
+---
  Reporter:  Artur  | Owner:  nobody
Status:  new| Milestone:
 Component:  HTTP handling  |   Version:  1.0   
Resolution: |  Keywords:
 Stage:  Unreviewed | Has_patch:  1 
Needs_docs:  0  |   Needs_tests:  0 
Needs_better_patch:  1  |  
+---
Changes (by kratorius):

  * has_patch:  0 => 1
  * component:  Uncategorized => HTTP handling

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts

2008-09-13 Thread Django 
#9064: Redirect is broken when HTTP_X_FORWARDED_HOST contains multiple hosts
+---
  Reporter:  Artur  | Owner:  nobody
Status:  new| Milestone:
 Component:  Uncategorized  |   Version:  1.0   
Resolution: |  Keywords:
 Stage:  Unreviewed | Has_patch:  0 
Needs_docs:  0  |   Needs_tests:  0 
Needs_better_patch:  1  |  
+---
Changes (by [EMAIL PROTECTED]):

  * needs_better_patch:  => 1
  * needs_tests:  => 0
  * needs_docs:  => 0

Comment:

 The current patch seems to work. It's meant to patch against {{{
 trunk/django/http/__init__.py }}}.

 However, the patch doesn't specify which file it's applied to. Please
 resubmit with the proper directory hierarchy information.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---