mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-26 23:26:08 +00:00
Code Issues 32 Releases Wiki Activity

Fixed a security issue in get_host.

Browse Source 
Full disclosure and new release forthcoming.
This commit is contained in:
Florian Apolloner
2012-11-27 22:19:37 +01:00
parent a2f2a39956
commit 27560924ec
3 changed files with 34 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
django/http/request.py
View File

@@ -25,6 +25,7 @@ from django.utils.encoding import force_bytes, force_text, force_str, iri_to_uri
RAISE_ERROR = object()
absolute_http_url_re = re.compile(r"^https?://", re.I)
host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$")
class UnreadablePostError(IOError):
@@ -64,7 +65,7 @@ class HttpRequest(object):
host = '%s:%s' % (host, server_port)
# Disallow potentially poisoned hostnames.
if set(';/?@&=+$,').intersection(host):
if not host_validation_re.match(host.lower()):
raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host)
return host