Re: malicious requests?

2014-12-22 Thread Fergus Cameron
On 22/12/2014, Alasdair Nicol wrote: > [ ... ] > > In Django 1.7, the trailing dot is stripped when performing host > > validation, thus an entry with a trailing dot isn’t required. How odd, since the canonical representation would be to add a dot when one is missing

Re: malicious requests?

2014-12-22 Thread Alex Haylock
Thanks Alasdair, that's really useful. I'm using v1.6.X in production, which makes sense based on your email. Alex. On 22/12/14 13:58, Alasdair Nicol wrote: > Hi Alex, > > There is no security implication adding 'example.com.' (with trailing > dot) to your ALLOWED_HOSTS setting. There is some

Re: malicious requests?

2014-12-22 Thread Alasdair Nicol
Hi Alex, There is no security implication adding 'example.com.' (with trailing dot) to your ALLOWED_HOSTS setting. There is some more information in the ALLOWED_HOSTS setting docs. From https://docs.djangoproject.com/en/1.7/ref/settings/#allowed-hosts In previous [<= 1.6.X] versions of

Re: malicious requests?

2014-12-22 Thread Mark Phillips
Alex, The trailing period could be from online promotional materials for your site. Someone may have written your URL with the trailing period inside the URL by mistake when the promotional materials were created. It may not be an attack vector from a malicious hacker, but instead, valid users

Re: malicious requests?

2014-12-22 Thread Alex Haylock
Thanks Markus. So, as per the RFC, are 'example.com' and 'example.com.' considered to be the same domain, or two separate domains? Are there any security implications if I add 'example.com.' to ALLOWED_HOSTS to cater for these requests? Thanks, Alex. On 22/12/14 11:52, Markus Holtermann

Re: malicious requests?

2014-12-22 Thread Markus Holtermann
Hey Alex, a trailing . in the host header is valid per RFC 3986: http://tools.ietf.org/html/rfc3986#section-3.2.2: The rightmost domain label of a fully qualified domain name in DNS may be > followed by a single "." /Markus On Monday, December 22, 2014 12:44:25 PM UTC+1, Alex Haylock

malicious requests?

2014-12-22 Thread Alex Haylock
Are there any known attack vectors that involve appending a period/ full-stop to a sites domain name? My Django application throws a handful of errors in production every day: ERROR: Invalid HTTP_HOST header: 'www.example.com.'. You may need to add u'www.example.com.' to ALLOWED_HOSTS. (note