Re: [Django] #25099: Cleanup HttpRequest representations in error reporting

Wed, 02 Sep 2015 09:01:29 -0700 

#25099: Cleanup HttpRequest representations in error reporting
--------------------------------------+------------------------------------
     Reporter:  vzima                 |                    Owner:  vzima
         Type:  Cleanup/optimization  |                   Status:  assigned
    Component:  Core (Other)          |                  Version:  master
     Severity:  Release blocker       |               Resolution:
     Keywords:                        |             Triage Stage:  Accepted
    Has patch:  0                     |      Needs documentation:  0
  Needs tests:  0                     |  Patch needs improvement:  0
Easy pickings:  0                     |                    UI/UX:  0
--------------------------------------+------------------------------------

Comment (by vzima):

 This is an interesting error. The problem is caused by the fact that
 allowed hosts are checked inside `HttpRequest.get_host()` which makes this
 function completely unusable in case of disallowed host. Among others it
 is used in `HttpRequest.get_absolute_url()` which is used to provide full
 URL in exception reports. The problem was hidden before, because exception
 reports are handled after the validation of the HTTP host, so the error
 was not triggered.

 Quick and dirty solution would most likely be addition of extra argument
 to the `HttpRequest.get_host()` method to suppress validation against the
 ALLOWED_HOSTS.

 But I'm puzzled by the fact that allowed hosts are validated in
 `HttpRequest.get_host()` method and not explicitely. I even have a
 suspicion that a request with disallowed host can be handled in cases
 where middlewares which uses `get_host()` method, such as
 `CommonMiddleware`, are disabled.

--
Ticket URL: <https://code.djangoproject.com/ticket/25099#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.7a3f28cbd5d74a9bf0e8c1474766ecf8%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to