[Django] #30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[Django] #30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure

Django
#30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure
-----------------------------------------+------------------------
               Reporter:  MrkGrgsn       |          Owner:  nobody
                   Type:  Bug            |         Status:  new
              Component:  Uncategorized  |        Version:  1.11
               Severity:  Normal         |       Keywords:
           Triage Stage:  Unreviewed     |      Has patch:  0
    Needs documentation:  0              |    Needs tests:  0
Patch needs improvement:  0              |  Easy pickings:  0
                  UI/UX:  0              |
-----------------------------------------+------------------------
 I've observed that when using CSRF_USE_SESSIONS = True and with
 SessionMiddleware correctly placed before CsrfViewMiddleware that a
 request with an invalid HTTP_HOST header raises an exception and, while
 preparing a response for this exception, the CsrfViewMiddleware raises an
 unhandled ImproperlyConfigured exception and an internal server error is
 returned to the browser.

 I expect that an HTTP 400 will be returned to the user for an invalid
 HTTP_HOST header and that the CsrfViewMiddleware will not raise an
 exception.

 To reproduce, configure the application as above, set up a new hostname
 (one that is not in ALLOWED_HOSTS) pointing at the Django application
 (using the hosts file, for example), and then request that hostname.

--
Ticket URL: <https://code.djangoproject.com/ticket/30091>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/051.ade0e02339127cab3fb0c346ac61af81%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure

Django
#30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure
-------------------------------+--------------------------------------
     Reporter:  MrkGrgsn       |                    Owner:  nobody
         Type:  Bug            |                   Status:  new
    Component:  Uncategorized  |                  Version:  1.11
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------
Changes (by MrkGrgsn):

 * Attachment "error_log.txt" added.


--
Ticket URL: <https://code.djangoproject.com/ticket/30091>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.4966e7d622cf3a04fe64ba3330d95526%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure

Django
In reply to this post by Django
#30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure
-------------------------------+--------------------------------------
     Reporter:  Mark Gregson   |                    Owner:  nobody
         Type:  Bug            |                   Status:  new
    Component:  Uncategorized  |                  Version:  1.11
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------

Comment (by Carlton Gibson):

 Hi Mark. Do you have an example project you can upload demonstrating this
 issue? Thanks!

--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.26e5bf6ecade632380f4fc0b670e5bae%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure

Django
In reply to this post by Django
#30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure
-------------------------------+--------------------------------------
     Reporter:  Mark Gregson   |                    Owner:  nobody
         Type:  Bug            |                   Status:  new
    Component:  Uncategorized  |                  Version:  1.11
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------

Comment (by Mark Gregson):

 Hi Carlton. Not one I can easily share. I'll see if I can create a minimal
 project that reproduces it.

--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.4178ec89d15ddb1426c2200b184ccb54%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure

Django
In reply to this post by Django
#30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure
-------------------------------+--------------------------------------
     Reporter:  Mark Gregson   |                    Owner:  nobody
         Type:  Bug            |                   Status:  new
    Component:  Uncategorized  |                  Version:  1.11
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------
Changes (by Mark Gregson):

 * Attachment "min_example.diff" added.

 Patch to create minimal project reproducing the bug

--
Ticket URL: <https://code.djangoproject.com/ticket/30091>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.11db20190a1316ee0d1c5d12a0b50e86%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure

Django
In reply to this post by Django
#30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure
-------------------------------+--------------------------------------
     Reporter:  Mark Gregson   |                    Owner:  nobody
         Type:  Bug            |                   Status:  new
    Component:  Uncategorized  |                  Version:  1.11
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------

Comment (by Mark Gregson):

 Okay, I've just attached a minimal working example.  I've provided it as a
 patch to a 'django-admin startproject' site template using Django 1.11.18.
 You should just be able to do:
 1. django-admin startproject mysite
 2. cd mysite
 3. patch -p1 < min_example.diff

 In this example I've configured ALLOWED_HOSTS = ['localhost'] and added
 '127.0.0.1 dummy' to my /etc/hosts file. Requesting http://dummy:8000/
 reproduces the ImproperlyConfigured exception.

 While producing this example I found that placing CommonMiddleware before
 SessionMiddleware was also required to reproduce the bug.  I'm unsure if
 this is a configuration error; but I couldn't see anything about ordering
 of those two middleware classes when I scanned the documentation just now.

 Cheers
 Mark

--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.21f8c960e63f299189276cfccf09fd22%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure

Django
In reply to this post by Django
#30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure
-------------------------------+--------------------------------------
     Reporter:  Mark Gregson   |                    Owner:  nobody
         Type:  Bug            |                   Status:  new
    Component:  Uncategorized  |                  Version:  1.11
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------

Comment (by Carlton Gibson):

 Hey Mark. Super effort. Thank you. I’ll have a look at the project and get
 back to you. 👍

--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.cf45e404d5263984ff19652cb3e9b2ed%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure

Django
In reply to this post by Django
#30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure
-------------------------------------+-------------------------------------
     Reporter:  Mark Gregson         |                    Owner:  Carlton
         Type:                       |  Gibson
  Cleanup/optimization               |                   Status:  assigned
    Component:  Documentation        |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:  middleware           |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Carlton Gibson):

 * status:  new => assigned
 * component:  Uncategorized => Documentation
 * keywords:   => middleware
 * version:  1.11 => master
 * owner:  nobody => Carlton Gibson
 * has_patch:  0 => 1
 * type:  Bug => Cleanup/optimization
 * stage:  Unreviewed => Accepted


Comment:

 OK, this is a documentation issue.

 Error views are wrapped with `@requires_csrf_token`, so
 `SessionMiddleware` must appear before any middleware that may raise an
 exception when using `CSRF_USE_SESSIONS`.

 The default project template has this correct, so you have to "opt-in" to
 this error.

 [https://github.com/django/django/pull/10882 PR]

 Thanks for the report and the project to reproduce Mark!

--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.6833c46fad5cb41a4cac1b0861b591ae%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30091: Incorrect middleware ordering allows invalid HTTP_HOST header to cause CsrfViewMiddleware failure when using CSRF_USE_SESSIONS. (was: Invalid HTTP_HOST header causes CsrfViewMiddleware failure)

Django
In reply to this post by Django
#30091: Incorrect middleware ordering allows invalid HTTP_HOST header to cause
CsrfViewMiddleware failure when using CSRF_USE_SESSIONS.
-------------------------------------+-------------------------------------
     Reporter:  Mark Gregson         |                    Owner:  Carlton
         Type:                       |  Gibson
  Cleanup/optimization               |                   Status:  assigned
    Component:  Documentation        |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:  middleware           |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.e7f8461553f23ec4f9907fc598f496c8%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30091: Incorrect middleware ordering allows invalid HTTP_HOST header to cause CsrfViewMiddleware failure when using CSRF_USE_SESSIONS.

Django
In reply to this post by Django
#30091: Incorrect middleware ordering allows invalid HTTP_HOST header to cause
CsrfViewMiddleware failure when using CSRF_USE_SESSIONS.
-------------------------------------+-------------------------------------
     Reporter:  Mark Gregson         |                    Owner:  Carlton
         Type:                       |  Gibson
  Cleanup/optimization               |                   Status:  assigned
    Component:  Documentation        |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:  middleware           |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Mark Gregson):

 Thanks Carlton. Appreciate the quick review.

--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.1e45442eb2464eb0549f5dd7907c201c%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30091: Incorrect middleware ordering allows invalid HTTP_HOST header to cause CsrfViewMiddleware failure when using CSRF_USE_SESSIONS.

Django
In reply to this post by Django
#30091: Incorrect middleware ordering allows invalid HTTP_HOST header to cause
CsrfViewMiddleware failure when using CSRF_USE_SESSIONS.
-------------------------------------+-------------------------------------
     Reporter:  Mark Gregson         |                    Owner:  Carlton
         Type:                       |  Gibson
  Cleanup/optimization               |                   Status:  closed
    Component:  Documentation        |                  Version:  master
     Severity:  Normal               |               Resolution:  fixed
     Keywords:  middleware           |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Tim Graham <timograham@…>):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"89d39dc1d77338b7436abec017e392fc1bdbe3d7" 89d39dc]:
 {{{
 #!CommitTicketReference repository=""
 revision="89d39dc1d77338b7436abec017e392fc1bdbe3d7"
 [2.2.x] Fixed #30091 -- Doc'd middleware ordering requirements with
 CSRF_USE_SESSIONS.

 Backport of bae66e759faee8513da4b11d3fd16b044b415bdb from master.
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.47a4666ce43783d7eef03b06967e05bd%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30091: Incorrect middleware ordering allows invalid HTTP_HOST header to cause CsrfViewMiddleware failure when using CSRF_USE_SESSIONS.

Django
In reply to this post by Django
#30091: Incorrect middleware ordering allows invalid HTTP_HOST header to cause
CsrfViewMiddleware failure when using CSRF_USE_SESSIONS.
-------------------------------------+-------------------------------------
     Reporter:  Mark Gregson         |                    Owner:  Carlton
         Type:                       |  Gibson
  Cleanup/optimization               |                   Status:  closed
    Component:  Documentation        |                  Version:  master
     Severity:  Normal               |               Resolution:  fixed
     Keywords:  middleware           |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Tim Graham <timograham@…>):

 In [changeset:"bae66e759faee8513da4b11d3fd16b044b415bdb" bae66e75]:
 {{{
 #!CommitTicketReference repository=""
 revision="bae66e759faee8513da4b11d3fd16b044b415bdb"
 Fixed #30091 -- Doc'd middleware ordering requirements with
 CSRF_USE_SESSIONS.
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.de0498b6af14b8142ef126adca6c38df%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.