Fixed a security issue related to password resets

Full disclosure and new release are forthcoming
2025-10-26 15:16:09 +00:00 · 2012-10-17 14:36:41 -07:00
parent 3e0857041b
commit 9305c0e12d
4 changed files with 44 additions and 1 deletions
--- a/django/http/init.py
+++ b/django/http/init.py
@@ -180,6 +180,11 @@ class HttpRequest(object):
            server_port = str(self.META['SERVER_PORT'])
            if server_port != ('443' if self.is_secure() else '80'):
                host = '%s:%s' % (host, server_port)
+
+        # Disallow potentially poisoned hostnames.
+        if set(';/?@&=+$,').intersection(host):
+            raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host)
+
        return host

    def get_full_path(self):