diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2012-11-27 22:24:31 +0100 |
|---|---|---|
| committer | Florian Apolloner <florian@apolloner.eu> | 2012-12-10 22:13:28 +0100 |
| commit | 77b06e41516d8136b56c040cba7e235b14750bfb (patch) | |
| tree | f9325c560aecb0e7d1f0558f0a25a99481ba74e1 /django/http/request.py | |
| parent | fce1fa0f7fb984d4e76eb81ffc3cb9826046c3b5 (diff) | |
[1.5.X] Fixed a security issue in get_host.
Full disclosure and new release forthcoming.
Diffstat (limited to 'django/http/request.py')
| -rw-r--r-- | django/http/request.py | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/django/http/request.py b/django/http/request.py index d3f0888d47..8f74bddb71 100644 --- a/django/http/request.py +++ b/django/http/request.py @@ -25,6 +25,7 @@ from django.utils.encoding import force_bytes, force_text, force_str, iri_to_uri RAISE_ERROR = object() absolute_http_url_re = re.compile(r"^https?://", re.I) +host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$") class UnreadablePostError(IOError): @@ -64,7 +65,7 @@ class HttpRequest(object): host = '%s:%s' % (host, server_port) # Disallow potentially poisoned hostnames. - if set(';/?@&=+$,').intersection(host): + if not host_validation_re.match(host.lower()): raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host) return host |
