1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
Origin: backport, commit:2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b
Description: Fixed a security issue in get_host
Bug-Debian: http://bugs.debian.org/696535
--- a/django/http/__init__.py
+++ b/django/http/__init__.py
@@ -21,6 +21,8 @@ from utils import *
RESERVED_CHARS="!*'();:@&=+$,/?%#[]"
absolute_http_url_re = re.compile(r"^https?://", re.I)
+host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$")
+
class Http404(Exception):
pass
@@ -59,7 +61,7 @@ class HttpRequest(object):
host = '%s:%s' % (host, server_port)
# Disallow potentially poisoned hostnames.
- if set(';/?@&=+$,').intersection(host):
+ if not host_validation_re.match(host.lower()):
raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host)
return host
|
