summaryrefslogtreecommitdiff
path: root/django/http/request.py
diff options
context:
space:
mode:
authorFlorian Apolloner <florian@apolloner.eu>2012-11-27 22:24:31 +0100
committerFlorian Apolloner <florian@apolloner.eu>2012-12-10 22:13:28 +0100
commit77b06e41516d8136b56c040cba7e235b14750bfb (patch)
treef9325c560aecb0e7d1f0558f0a25a99481ba74e1 /django/http/request.py
parentfce1fa0f7fb984d4e76eb81ffc3cb9826046c3b5 (diff)
[1.5.X] Fixed a security issue in get_host.
Full disclosure and new release forthcoming.
Diffstat (limited to 'django/http/request.py')
-rw-r--r--django/http/request.py3
1 files changed, 2 insertions, 1 deletions
diff --git a/django/http/request.py b/django/http/request.py
index d3f0888d47..8f74bddb71 100644
--- a/django/http/request.py
+++ b/django/http/request.py
@@ -25,6 +25,7 @@ from django.utils.encoding import force_bytes, force_text, force_str, iri_to_uri
RAISE_ERROR = object()
absolute_http_url_re = re.compile(r"^https?://", re.I)
+host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$")
class UnreadablePostError(IOError):
@@ -64,7 +65,7 @@ class HttpRequest(object):
host = '%s:%s' % (host, server_port)
# Disallow potentially poisoned hostnames.
- if set(';/?@&=+$,').intersection(host):
+ if not host_validation_re.match(host.lower()):
raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host)
return host