Opened 11 years ago
Closed 11 years ago
#21389 closed Bug (fixed)
Some languages not accepted as valid HTTP Accept-Language
Reported by: | Bouke Haarsma | Owned by: | Bouke Haarsma |
---|---|---|---|
Component: | Internationalization | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | bouke@… | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
In get_language_from_request
there are these lines:
normalized = locale.locale_alias.get(to_locale(accept_lang, True)) if not normalized: continue
However, fy_nl
is not in `locale_alias` (use search). Hence, the fy
/fy_nl
language code is rejected.
Attachments (1)
Change History (9)
by , 11 years ago
Attachment: | failing-fy-test.diff added |
---|
comment:1 by , 11 years ago
Cc: | added |
---|
comment:2 by , 11 years ago
Triage Stage: | Unreviewed → Accepted |
---|---|
Type: | Uncategorized → Bug |
The fact that get_language_from_request
relies on locale.locale_alias
is too limiting. The problem is that locale.locale_alias
is using the (on my system) Xlib /usr/share/X11/locale/locale.alias
list, which is not as exhaustive as the libc /usr/share/i18n/SUPPORTED
. So we have to fix this, but we have to be careful because this was introduced in a security fix [842a771e0527c].
comment:3 by , 11 years ago
The security fix referred to is a DoS-related attack:
A per-process cache used by Django's internationalization ("i18n") system to store the results of translation lookups for particular values of the HTTP Accept-Language header used the full value of that header as a key. An attacker could take advantage of this by sending repeated requests with extremely large strings in the Accept-Language header, potentially causing a denial of service by filling available memory.
Due to limitations imposed by Web server software on the size of HTTP header fields, combined with reasonable limits on the number of requests which may be handled by a single server process over its lifetime, this vulnerability may be difficult to exploit. Additionally, it is only present when the "USE_I18N" setting in Django is "True" and the i18n middleware component is enabled*. Nonetheless, all users of affected versions of Django are encouraged to update.
So there should be some limitation on which languages can be provided by the user to prevent such an attack, while allowing all possible languages and sublanguages.
comment:4 by , 11 years ago
Summary: | Frisian is not accepted as HTTP Accept-Language → Some languages not accepted as valid HTT Accept-Language |
---|
comment:5 by , 11 years ago
Summary: | Some languages not accepted as valid HTT Accept-Language → Some languages not accepted as valid HTTP Accept-Language |
---|
comment:6 by , 11 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:8 by , 11 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
21389-failing-test.diff