diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2012-11-27 22:27:14 +0100 |
|---|---|---|
| committer | Florian Apolloner <florian@apolloner.eu> | 2012-12-03 13:11:34 +0100 |
| commit | 2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b (patch) | |
| tree | b3f6248e714196c6d11de17a3f70b709a3c55d89 | |
| parent | 1515eb46daa0897ba5ad5f0a2db8969255f1b343 (diff) | |
[1.3.X] Fixed a security issue in get_host.
Full disclosure and new release forthcoming.
| -rw-r--r-- | django/http/__init__.py | 4 | ||||
| -rw-r--r-- | tests/regressiontests/requests/tests.py | 11 |
2 files changed, 11 insertions, 4 deletions
diff --git a/django/http/__init__.py b/django/http/__init__.py index dddd9a89c4..a80750b57c 100644 --- a/django/http/__init__.py +++ b/django/http/__init__.py @@ -129,6 +129,8 @@ from utils import * RESERVED_CHARS="!*'();:@&=+$,/?%#[]" absolute_http_url_re = re.compile(r"^https?://", re.I) +host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$") + class Http404(Exception): pass @@ -167,7 +169,7 @@ class HttpRequest(object): host = '%s:%s' % (host, server_port) # Disallow potentially poisoned hostnames. - if set(';/?@&=+$,').intersection(host): + if not host_validation_re.match(host.lower()): raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host) return host diff --git a/tests/regressiontests/requests/tests.py b/tests/regressiontests/requests/tests.py index 19713b6e26..bbd2280c43 100644 --- a/tests/regressiontests/requests/tests.py +++ b/tests/regressiontests/requests/tests.py @@ -1,3 +1,4 @@ +# -*- coding: utf-8 -*- import time from datetime import datetime, timedelta from StringIO import StringIO @@ -110,13 +111,15 @@ class RequestsTests(unittest.TestCase): '12.34.56.78:443', '[2001:19f0:feee::dead:beef:cafe]', '[2001:19f0:feee::dead:beef:cafe]:8080', + 'xn--4ca9at.com', # Punnycode for öäü.com ] poisoned_hosts = [ 'example.com@evil.tld', 'example.com:dr.frankenstein@evil.tld', - 'example.com:someone@somestie.com:80', - 'example.com:80/badpath' + 'example.com:dr.frankenstein@evil.tld:80', + 'example.com:80/badpath', + 'example.com: recovermypassword.com', ] for host in legit_hosts: @@ -187,13 +190,15 @@ class RequestsTests(unittest.TestCase): '12.34.56.78:443', '[2001:19f0:feee::dead:beef:cafe]', '[2001:19f0:feee::dead:beef:cafe]:8080', + 'xn--4ca9at.com', # Punnycode for öäü.com ] poisoned_hosts = [ 'example.com@evil.tld', 'example.com:dr.frankenstein@evil.tld', 'example.com:dr.frankenstein@evil.tld:80', - 'example.com:80/badpath' + 'example.com:80/badpath', + 'example.com: recovermypassword.com', ] for host in legit_hosts: |