mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-12-07 02:15:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fixed a security issue in get_host.

Browse source 
Full disclosure and new release forthcoming.
This commit is contained in:
Florian Apolloner 2012-11-27 22:19:37 +01:00
parent a2f2a39956
commit 27560924ec
3 changed files with 34 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
django/http/request.py
View file

@ -25,6 +25,7 @@ from django.utils.encoding import force_bytes, force_text, force_str, iri_to_uri
RAISE_ERROR = object()
absolute_http_url_re = re.compile(r"^https?://", re.I)
host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$")
class UnreadablePostError(IOError):
@ -64,7 +65,7 @@ class HttpRequest(object):
host = '%s:%s' % (host, server_port)
# Disallow potentially poisoned hostnames.
if set(';/?@&=+$,').intersection(host):
if not host_validation_re.match(host.lower()):
raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host)
return host