Opened 8 years ago
Last modified 8 years ago
#27379 closed Bug
Django violates RFC7230 when handling requests. — at Initial Version
| Reported by: | Stavros Korokithakis | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | 1.10 |
| Severity: | Normal | Keywords: | |
| Cc: | Florian Apolloner, rene@… | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
For a request coming in with an absolute URI and a different host header, Django still uses the Host header value to service the request. RFC 7230 specifies:
If the request-target is in absolute-form, the effective request URI is the same as the request-target.
(https://tools.ietf.org/html/rfc7230#section-5.5)
Thus, if a request comes in where the host header is different from the host in the absolute URI, Django should use the absolute URI, rather than the host value.
This is a problem when a request comes in looking like:
GET https://valid.hostname/ HTTP/1.1
Host: invalid.hostname
Django currently fails this as a violation of ALLOWED_HOSTS, but it shouldn't. Granted, we only see this in attacks, but nginx passes these requests through (because it should) and Django fails them because of the wonky host.