Opened 11 years ago

Closed 11 years ago

#21921 closed Bug (duplicate)

host_validation_re does not match IPv6 addresses

Reported by: sej854+django@… Owned by: nobody
Component: HTTP handling Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Validation of the host part fails, falsely raising SuspiciousOperation

validate_host() or split_domain_port() in django.http.request try to match the Host: value against the following RegExp:

host_validation_re = re.compile(r"([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$")

The issue are the \[ \] (literal square brackets) around the IPv6 part -- the Host: value actually does not contain them. Hence it fails to match any IPv6 address.
In my local installation I removed the source of the problem by adding question marks after the \[ and \], but of course it'd be better if it could be fixed properly in the code base.

I encountered this problem in a django 1.3.7 install, but checked the github (https://github.com/django/django/blob/c250f9c99b59bb011dae9bc97783458621462b65/django/http/request.py) to confirm that this problem hasn't changed.

Let me know if you need any additional information.

Change History (3)

comment:1 by Claude Paroz, 11 years ago

I find a bit strange that your Host value doesn't contain the brackets (the RFC requires them, http://tools.ietf.org/html/rfc3986#section-3.2.2).
Is it the client who didn't set the brackets?

comment:2 by anonymous, 11 years ago

Possibly! I came across this when trying to figure out why our provider's was flooded by e-mails -- some automatic script searching for vulnerabilities tried out all sorts of addresses, and because of the mis-matching host_validation_re Django sent one e-mail to me for each request -- I wouldn't say it was totally wrong to raise SuspiciousOperation exceptions in this case (it was a suspicious operation), but there should be some way to prevent just this kind of exception to be e-mailed to the admin, without having to disable all Exception mails (according to the django logging documentation it should be possible to deal with sub-categories of SuspiciousOperation, but the code in http/request.py only raises SuspiciousOperation(), so I can't see how you'd filter out just the mismatches to the Host: validation). Otherwise this can result in a (not even intentional) denial of service...

comment:3 by Claude Paroz, 11 years ago

Resolution: duplicate
Status: newclosed

The issue about exception differentiation has been addressed in #19866 (the fix is in Django 1.6).

Note: See TracTickets for help on using tickets.
Back to Top