RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/django/django/commit/319627c184e71ae267d6b7f000e293168c7b6e09 below:

[1.4.X] Fixed a security issue in get_host. · django/django@319627c · GitHub

File tree Expand file treeCollapse file tree 3 files changed

+38

-4

lines changed

Filter options

tests/regressiontests/requests

Expand file treeCollapse file tree 3 files changed

+38

-4

lines changed Original file line number Diff line number Diff line change


 @@ -126,6 +126,8 @@ def __init__(self, *args, **kwargs):

126 126


 RESERVED_CHARS="!*'();:@&=+$,/?%#[]"

127 127 128 128


 absolute_http_url_re = re.compile(r"^https?://", re.I)

129

+
 host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$")

130 + 129 131 130 132


 class Http404(Exception):

131 133


 pass


 @@ -214,7 +216,7 @@ def get_host(self):

214 216


 host = '%s:%s' % (host, server_port)

215 217 216 218


 # Disallow potentially poisoned hostnames.

217

-
 if set(';/?@&=+$,').intersection(host):

219

+
 if not host_validation_re.match(host.lower()):

218 220


 raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host)

219 221 220 222


 return host

Original file line number Diff line number Diff line change


 @@ -167,6 +167,33 @@ recommend you ensure your Web server is configured such that:

167 167


 Additionally, as of 1.3.1, Django requires you to explicitly enable support for

168 168


 the ``X-Forwarded-Host`` header if your configuration requires it.

169 169 170

+
 Configuration for Apache

171

+
 ------------------------

172 + 173

+
 The easiest way to get the described behavior in Apache is as follows. Create

174

+
 a `virtual host`_ using the ServerName_ and ServerAlias_ directives to restrict

175

+
 the domains Apache reacts to. Please keep in mind that while the directives do

176

+
 support ports the match is only performed against the hostname. This means that

177

+
 the ``Host`` header could still contain a port pointing to another webserver on

178

+
 the same machine. The next step is to make sure that your newly created virtual

179

+
 host is not also the default virtual host. Apache uses the first virtual host

180

+
 found in the configuration file as default virtual host. As such you have to

181

+
 ensure that you have another virtual host which will act as catch-all virtual

182

+
 host. Just add one if you do not have one already, there is nothing special

183

+
 about it aside from ensuring it is the first virtual host in the configuration

184

+
 file. Debian/Ubuntu users usually don't have to take any action, since Apache

185

+
 ships with a default virtual host in ``sites-available`` which is linked into

186

+
 ``sites-enabled`` as ``000-default`` and included from ``apache2.conf``. Just

187

+
 make sure not to name your site ``000-abc``, since files are included in

188

+
 alphabetical order.

189 + 190

+
 .. _virtual host: http://httpd.apache.org/docs/2.2/vhosts/

191

+
 .. _ServerName: http://httpd.apache.org/docs/2.2/mod/core.html#servername

192

+
 .. _ServerAlias: http://httpd.apache.org/docs/2.2/mod/core.html#serveralias

193 + 194 + 195 + 196 + 170 197


 Additional security topics

171 198


 ==========================

172 199 Original file line number Diff line number Diff line change


 @@ -1,3 +1,4 @@

1

+
 # -*- coding: utf-8 -*-

1 2


 from __future__ import with_statement

2 3 3 4


 import time


 @@ -154,13 +155,15 @@ def test_http_get_host(self):

154 155


 '12.34.56.78:443',

155 156


 '[2001:19f0:feee::dead:beef:cafe]',

156 157


 '[2001:19f0:feee::dead:beef:cafe]:8080',

158

+
 'xn--4ca9at.com', # Punnycode for öäü.com

157 159

158 160 159 161


 poisoned_hosts = [

160 162


 'example.com@evil.tld',

161 163


 'example.com:dr.frankenstein@evil.tld',

162

-
 'example.com:someone@somestie.com:80',

163

-
 'example.com:80/badpath'

164

+
 'example.com:dr.frankenstein@evil.tld:80',

165

+
 'example.com:80/badpath',

166

+
 'example.com: recovermypassword.com',

164 167

165 168 166 169


 for host in legit_hosts:


 @@ -230,13 +233,15 @@ def test_http_get_host_with_x_forwarded_host(self):

230 233


 '12.34.56.78:443',

231 234


 '[2001:19f0:feee::dead:beef:cafe]',

232 235


 '[2001:19f0:feee::dead:beef:cafe]:8080',

236

+
 'xn--4ca9at.com', # Punnycode for öäü.com

233 237

234 238 235 239


 poisoned_hosts = [

236 240


 'example.com@evil.tld',

237 241


 'example.com:dr.frankenstein@evil.tld',

238 242


 'example.com:dr.frankenstein@evil.tld:80',

239

-
 'example.com:80/badpath'

243

+
 'example.com:80/badpath',

244

+
 'example.com: recovermypassword.com',

240 245

241 246 242 247


 for host in legit_hosts:

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4