summaryrefslogtreecommitdiff
path: root/django/http/__init__.py
diff options
context:
space:
mode:
Diffstat (limited to 'django/http/__init__.py')
-rw-r--r--django/http/__init__.py4
1 files changed, 3 insertions, 1 deletions
diff --git a/django/http/__init__.py b/django/http/__init__.py
index dddd9a89c4..a80750b57c 100644
--- a/django/http/__init__.py
+++ b/django/http/__init__.py
@@ -129,6 +129,8 @@ from utils import *
RESERVED_CHARS="!*'();:@&=+$,/?%#[]"
absolute_http_url_re = re.compile(r"^https?://", re.I)
+host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$")
+
class Http404(Exception):
pass
@@ -167,7 +169,7 @@ class HttpRequest(object):
host = '%s:%s' % (host, server_port)
# Disallow potentially poisoned hostnames.
- if set(';/?@&=+$,').intersection(host):
+ if not host_validation_re.match(host.lower()):
raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host)
return host
generated by cgit v1.3 (git 2.53.0) at 2026-06-30 19:29:54 +0000