DisallowedHost causes 500 errors.
150 views
Skip to first unread message
J. Cliff Dyer
Feb 13, 2014, 12:27:37 PM2/13/14
to django-d...@googlegroups.com
Django devs,
I've noticed that the new ALLOWED_HOSTS causes the site
to return HTTP-500 errors whenever a user submits a request with an
HTTP_HOST header that is not allowed. This is flooding my developers'
inboxes with spurious error messages. The site is refusing the
requests as expected, but it is doing so with a *server* error, when in
fact the error is a problem with what the *clients* are doing. I'd
like to start a discussion here before I create a bug report, but I
believe this should instead be returning a 403 Forbidden response
(based on my reading of http://httpstatus.es/403), or at least
something in the 4xx (Client Error) range. This might be appropriate
for other SuspiciousOperation exceptions as well, though it's probably
worth discussing just how they are each handled.
In short, I think 500 makes it look like there's something wrong
with the server, when in fact the response is being blocked because the
server is doing the right thing. If there's some consensus that this
would be a helpful enhancement, I'll write up a bug report and see if I
can create a patch to accompany it. Otherwise, I'll try to fix it for
my own use in a custom middleware.
Cheers,
Cliff
I've noticed that the new ALLOWED_HOSTS causes the site
to return HTTP-500 errors whenever a user submits a request with an
HTTP_HOST header that is not allowed. This is flooding my developers'
inboxes with spurious error messages. The site is refusing the
requests as expected, but it is doing so with a *server* error, when in
fact the error is a problem with what the *clients* are doing. I'd
like to start a discussion here before I create a bug report, but I
believe this should instead be returning a 403 Forbidden response
(based on my reading of http://httpstatus.es/403), or at least
something in the 4xx (Client Error) range. This might be appropriate
for other SuspiciousOperation exceptions as well, though it's probably
worth discussing just how they are each handled.
In short, I think 500 makes it look like there's something wrong
with the server, when in fact the response is being blocked because the
server is doing the right thing. If there's some consensus that this
would be a helpful enhancement, I'll write up a bug report and see if I
can create a patch to accompany it. Otherwise, I'll try to fix it for
my own use in a custom middleware.
Cheers,
Cliff
Mark Lavin
Feb 13, 2014, 12:35:16 PM2/13/14
to django-d...@googlegroups.com
This was already changed in https://code.djangoproject.com/ticket/19866 which is part of 1.6. It's noted under the minor features https://docs.djangoproject.com/en/1.6/releases/1.6/#minor-features
SuspiciousOperation has been differentiated into a number of subclasses, and each will log to a matching named logger under the django.security logging hierarchy. Along with this change, a handler400 mechanism and default view are used whenever a SuspiciousOperation reaches the WSGI handler to return an HttpResponseBadRequest.
Best,
Mark
J. Clifford Dyer
Feb 13, 2014, 12:43:22 PM2/13/14
to django-d...@googlegroups.com
Thanks for the quick response, Mark. That's awesome. Sorry I missed it in the changelog.
Cheers,
Cliff
Cheers,
Cliff
Florian Apolloner
Feb 13, 2014, 4:46:26 PM2/13/14
to django-d...@googlegroups.com
Hi Cliff,
just as a side note, the fact that you get those error in your inbox is also a sign of a missconfiguration of your webserver. The Django error is so to say a last resort, on a properly configured system those requests would never reach Django at all.
Regards,
Florian
just as a side note, the fact that you get those error in your inbox is also a sign of a missconfiguration of your webserver. The Django error is so to say a last resort, on a properly configured system those requests would never reach Django at all.
Regards,
Florian
Reply all
Reply to author
Forward
0 new messages