Fixed a security issue related to password resets

Full disclosure and new release are forthcoming
author: Preston Holmes <preston@ptone.com> 2012-10-17 14:36:41 -0700
committer: Preston Holmes <preston@ptone.com> 2012-10-17 14:36:41 -0700
commit: 9305c0e12d43c4df999c3301a1f0c742264a657e (patch)
tree: 028c00ff78c527398d316ae41a3a0fbb5b582d2e /django/http/__init__.py
parent: 3e0857041b6bfc9deef392315c978abede706c92 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/django/http/__init__.py b/django/http/__init__.py
index ecb39129ad..b385b450ee 100644
--- a/django/http/__init__.py
+++ b/django/http/__init__.py
@@ -180,6 +180,11 @@ class HttpRequest(object):
             server_port = str(self.META['SERVER_PORT'])
             if server_port != ('443' if self.is_secure() else '80'):
                 host = '%s:%s' % (host, server_port)
+
+        # Disallow potentially poisoned hostnames.
+        if set(';/?@&=+$,').intersection(host):
+            raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host)
+
         return host
 
     def get_full_path(self):
author	Preston Holmes <preston@ptone.com>	2012-10-17 14:36:41 -0700
committer	Preston Holmes <preston@ptone.com>	2012-10-17 14:36:41 -0700
commit	9305c0e12d43c4df999c3301a1f0c742264a657e (patch)
tree	028c00ff78c527398d316ae41a3a0fbb5b582d2e /django/http/__init__.py
parent	3e0857041b6bfc9deef392315c978abede706c92 (diff)