From 2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b Mon Sep 17 00:00:00 2001
From: Florian Apolloner <florian@apolloner.eu>
Date: Tue, 27 Nov 2012 22:27:14 +0100
Subject: [PATCH] [1.3.X] Fixed a security issue in get_host.

Full disclosure and new release forthcoming.
---
 django/http/__init__.py                 |  4 +++-
 tests/regressiontests/requests/tests.py | 11 ++++++++---
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/django/http/__init__.py b/django/http/__init__.py
index dddd9a89c4..a80750b57c 100644
--- a/django/http/__init__.py
+++ b/django/http/__init__.py
@@ -129,6 +129,8 @@ from utils import *
 RESERVED_CHARS="!*'();:@&=+$,/?%#[]"
 
 absolute_http_url_re = re.compile(r"^https?://", re.I)
+host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$")
+
 
 class Http404(Exception):
     pass
@@ -167,7 +169,7 @@ class HttpRequest(object):
                 host = '%s:%s' % (host, server_port)
 
         # Disallow potentially poisoned hostnames.
-        if set(';/?@&=+$,').intersection(host):
+        if not host_validation_re.match(host.lower()):
             raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host)
 
         return host
diff --git a/tests/regressiontests/requests/tests.py b/tests/regressiontests/requests/tests.py
index 19713b6e26..bbd2280c43 100644
--- a/tests/regressiontests/requests/tests.py
+++ b/tests/regressiontests/requests/tests.py
@@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 import time
 from datetime import datetime, timedelta
 from StringIO import StringIO
@@ -110,13 +111,15 @@ class RequestsTests(unittest.TestCase):
                 '12.34.56.78:443',
                 '[2001:19f0:feee::dead:beef:cafe]',
                 '[2001:19f0:feee::dead:beef:cafe]:8080',
+                'xn--4ca9at.com', # Punnycode for öäü.com
             ]
 
             poisoned_hosts = [
                 'example.com@evil.tld',
                 'example.com:dr.frankenstein@evil.tld',
-                'example.com:someone@somestie.com:80',
-                'example.com:80/badpath'
+                'example.com:dr.frankenstein@evil.tld:80',
+                'example.com:80/badpath',
+                'example.com: recovermypassword.com',
             ]
 
             for host in legit_hosts:
@@ -187,13 +190,15 @@ class RequestsTests(unittest.TestCase):
                 '12.34.56.78:443',
                 '[2001:19f0:feee::dead:beef:cafe]',
                 '[2001:19f0:feee::dead:beef:cafe]:8080',
+                'xn--4ca9at.com', # Punnycode for öäü.com
             ]
 
             poisoned_hosts = [
                 'example.com@evil.tld',
                 'example.com:dr.frankenstein@evil.tld',
                 'example.com:dr.frankenstein@evil.tld:80',
-                'example.com:80/badpath'
+                'example.com:80/badpath',
+                'example.com: recovermypassword.com',
             ]
 
             for host in legit_hosts: