mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-04 17:59:13 +00:00
Code Issues 32 Releases Wiki Activity

[1.3.X] Fixed a security issue in get_host.

Browse Source 
Full disclosure and new release forthcoming.
This commit is contained in:
Florian Apolloner 2012-11-27 22:27:14 +01:00
parent 1515eb46da
commit 2da4ace0bc
2 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
django/http/__init__.py
View File

@ -129,6 +129,8 @@ from utils import *
RESERVED_CHARS="!*'();:@&=+$,/?%#[]" RESERVED_CHARS="!*'();:@&=+$,/?%#[]"
absolute_http_url_re = re.compile(r"^https?://", re.I) absolute_http_url_re = re.compile(r"^https?://", re.I)
host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$")
class Http404(Exception): class Http404(Exception):
pass pass
@ -167,7 +169,7 @@ class HttpRequest(object):
host = '%s:%s' % (host, server_port) host = '%s:%s' % (host, server_port)
# Disallow potentially poisoned hostnames. # Disallow potentially poisoned hostnames.
if set(';/?@&=+$,').intersection(host): if not host_validation_re.match(host.lower()):
raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host) raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host)
return host return host

11
tests/regressiontests/requests/tests.py
View File

@ -1,3 +1,4 @@
# -*- coding: utf-8 -*-
import time import time
from datetime import datetime, timedelta from datetime import datetime, timedelta
from StringIO import StringIO from StringIO import StringIO
@ -110,13 +111,15 @@ class RequestsTests(unittest.TestCase):
'12.34.56.78:443', '12.34.56.78:443',
'[2001:19f0:feee::dead:beef:cafe]', '[2001:19f0:feee::dead:beef:cafe]',
'[2001:19f0:feee::dead:beef:cafe]:8080', '[2001:19f0:feee::dead:beef:cafe]:8080',
'xn--4ca9at.com', # Punnycode for öäü.com
] ]
poisoned_hosts = [ poisoned_hosts = [
'example.com@evil.tld', 'example.com@evil.tld',
'example.com:dr.frankenstein@evil.tld', 'example.com:dr.frankenstein@evil.tld',
'example.com:someone@somestie.com:80', 'example.com:dr.frankenstein@evil.tld:80',
'example.com:80/badpath' 'example.com:80/badpath',
'example.com: recovermypassword.com',
] ]
for host in legit_hosts: for host in legit_hosts:
@ -187,13 +190,15 @@ class RequestsTests(unittest.TestCase):
'12.34.56.78:443', '12.34.56.78:443',
'[2001:19f0:feee::dead:beef:cafe]', '[2001:19f0:feee::dead:beef:cafe]',
'[2001:19f0:feee::dead:beef:cafe]:8080', '[2001:19f0:feee::dead:beef:cafe]:8080',
'xn--4ca9at.com', # Punnycode for öäü.com
] ]
poisoned_hosts = [ poisoned_hosts = [
'example.com@evil.tld', 'example.com@evil.tld',
'example.com:dr.frankenstein@evil.tld', 'example.com:dr.frankenstein@evil.tld',
'example.com:dr.frankenstein@evil.tld:80', 'example.com:dr.frankenstein@evil.tld:80',
'example.com:80/badpath' 'example.com:80/badpath',
'example.com: recovermypassword.com',
] ]
for host in legit_hosts: for host in legit_hosts: