RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/django/django/commit/2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b below:

[1.3.X] Fixed a security issue in get_host. · django/django@2da4ace · GitHub

File tree Expand file treeCollapse file tree 2 files changed

+11

-4

lines changed

Filter options

tests/regressiontests/requests

Expand file treeCollapse file tree 2 files changed

+11

-4

lines changed Original file line number Diff line number Diff line change


 @@ -129,6 +129,8 @@ def __init__(self, *args, **kwargs):

129 129


 RESERVED_CHARS="!*'();:@&=+$,/?%#[]"

130 130 131 131


 absolute_http_url_re = re.compile(r"^https?://", re.I)

132

+
 host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$")

133 + 132 134 133 135


 class Http404(Exception):

134 136


 pass


 @@ -167,7 +169,7 @@ def get_host(self):

167 169


 host = '%s:%s' % (host, server_port)

168 170 169 171


 # Disallow potentially poisoned hostnames.

170

-
 if set(';/?@&=+$,').intersection(host):

172

+
 if not host_validation_re.match(host.lower()):

171 173


 raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host)

172 174 173 175


 return host

Original file line number Diff line number Diff line change


 @@ -1,3 +1,4 @@

1

+
 # -*- coding: utf-8 -*-

1 2


 import time

2 3


 from datetime import datetime, timedelta

3 4


 from StringIO import StringIO


 @@ -110,13 +111,15 @@ def test_http_get_host(self):

110 111


 '12.34.56.78:443',

111 112


 '[2001:19f0:feee::dead:beef:cafe]',

112 113


 '[2001:19f0:feee::dead:beef:cafe]:8080',

114

+
 'xn--4ca9at.com', # Punnycode for öäü.com

113 115

114 116 115 117


 poisoned_hosts = [

116 118


 'example.com@evil.tld',

117 119


 'example.com:dr.frankenstein@evil.tld',

118

-
 'example.com:someone@somestie.com:80',

119

-
 'example.com:80/badpath'

120

+
 'example.com:dr.frankenstein@evil.tld:80',

121

+
 'example.com:80/badpath',

122

+
 'example.com: recovermypassword.com',

120 123

121 124 122 125


 for host in legit_hosts:


 @@ -187,13 +190,15 @@ def test_http_get_host_with_x_forwarded_host(self):

187 190


 '12.34.56.78:443',

188 191


 '[2001:19f0:feee::dead:beef:cafe]',

189 192


 '[2001:19f0:feee::dead:beef:cafe]:8080',

193

+
 'xn--4ca9at.com', # Punnycode for öäü.com

190 194

191 195 192 196


 poisoned_hosts = [

193 197


 'example.com@evil.tld',

194 198


 'example.com:dr.frankenstein@evil.tld',

195 199


 'example.com:dr.frankenstein@evil.tld:80',

196

-
 'example.com:80/badpath'

200

+
 'example.com:80/badpath',

201

+
 'example.com: recovermypassword.com',

197 202

198 203 199 204


 for host in legit_hosts:

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4