From 319627c184e71ae267d6b7f000e293168c7b6e09 Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Tue, 27 Nov 2012 22:26:29 +0100 Subject: [PATCH] [1.4.X] Fixed a security issue in get_host. Full disclosure and new release forthcoming. --- django/http/__init__.py | 4 +++- docs/topics/security.txt | 27 +++++++++++++++++++++++++ tests/regressiontests/requests/tests.py | 11 +++++++--- 3 files changed, 38 insertions(+), 4 deletions(-) diff --git a/django/http/__init__.py b/django/http/__init__.py index 98ec9966c4..da993eb8d3 100644 --- a/django/http/__init__.py +++ b/django/http/__init__.py @@ -126,6 +126,8 @@ from django.utils import timezone RESERVED_CHARS="!*'();:@&=+$,/?%#[]" absolute_http_url_re = re.compile(r"^https?://", re.I) +host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$") + class Http404(Exception): pass @@ -214,7 +216,7 @@ class HttpRequest(object): host = '%s:%s' % (host, server_port) # Disallow potentially poisoned hostnames. - if set(';/?@&=+$,').intersection(host): + if not host_validation_re.match(host.lower()): raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host) return host diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 151853d4ac..0b5112803c 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -167,6 +167,33 @@ recommend you ensure your Web server is configured such that: Additionally, as of 1.3.1, Django requires you to explicitly enable support for the ``X-Forwarded-Host`` header if your configuration requires it. +Configuration for Apache +------------------------ + +The easiest way to get the described behavior in Apache is as follows. Create +a `virtual host`_ using the ServerName_ and ServerAlias_ directives to restrict +the domains Apache reacts to. Please keep in mind that while the directives do +support ports the match is only performed against the hostname. This means that +the ``Host`` header could still contain a port pointing to another webserver on +the same machine. The next step is to make sure that your newly created virtual +host is not also the default virtual host. Apache uses the first virtual host +found in the configuration file as default virtual host. As such you have to +ensure that you have another virtual host which will act as catch-all virtual +host. Just add one if you do not have one already, there is nothing special +about it aside from ensuring it is the first virtual host in the configuration +file. Debian/Ubuntu users usually don't have to take any action, since Apache +ships with a default virtual host in ``sites-available`` which is linked into +``sites-enabled`` as ``000-default`` and included from ``apache2.conf``. Just +make sure not to name your site ``000-abc``, since files are included in +alphabetical order. + +.. _virtual host: http://httpd.apache.org/docs/2.2/vhosts/ +.. _ServerName: http://httpd.apache.org/docs/2.2/mod/core.html#servername +.. _ServerAlias: http://httpd.apache.org/docs/2.2/mod/core.html#serveralias + + + + Additional security topics ========================== diff --git a/tests/regressiontests/requests/tests.py b/tests/regressiontests/requests/tests.py index cf8fed0253..caa25aea21 100644 --- a/tests/regressiontests/requests/tests.py +++ b/tests/regressiontests/requests/tests.py @@ -1,3 +1,4 @@ +# -*- coding: utf-8 -*- from __future__ import with_statement import time @@ -154,13 +155,15 @@ class RequestsTests(unittest.TestCase): '12.34.56.78:443', '[2001:19f0:feee::dead:beef:cafe]', '[2001:19f0:feee::dead:beef:cafe]:8080', + 'xn--4ca9at.com', # Punnycode for öäü.com ] poisoned_hosts = [ 'example.com@evil.tld', 'example.com:dr.frankenstein@evil.tld', - 'example.com:someone@somestie.com:80', - 'example.com:80/badpath' + 'example.com:dr.frankenstein@evil.tld:80', + 'example.com:80/badpath', + 'example.com: recovermypassword.com', ] for host in legit_hosts: @@ -230,13 +233,15 @@ class RequestsTests(unittest.TestCase): '12.34.56.78:443', '[2001:19f0:feee::dead:beef:cafe]', '[2001:19f0:feee::dead:beef:cafe]:8080', + 'xn--4ca9at.com', # Punnycode for öäü.com ] poisoned_hosts = [ 'example.com@evil.tld', 'example.com:dr.frankenstein@evil.tld', 'example.com:dr.frankenstein@evil.tld:80', - 'example.com:80/badpath' + 'example.com:80/badpath', + 'example.com: recovermypassword.com', ] for host in legit_hosts: