[Django] #30091: Invalid HTTP_HOST header causes CsrfViewMiddleware failure
Django
-----------------------------------------+------------------------
Reporter: MrkGrgsn | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
I've observed that when using CSRF_USE_SESSIONS = True and with
SessionMiddleware correctly placed before CsrfViewMiddleware that a
request with an invalid HTTP_HOST header raises an exception and, while
preparing a response for this exception, the CsrfViewMiddleware raises an
unhandled ImproperlyConfigured exception and an internal server error is
returned to the browser.
I expect that an HTTP 400 will be returned to the user for an invalid
HTTP_HOST header and that the CsrfViewMiddleware will not raise an
exception.
To reproduce, configure the application as above, set up a new hostname
(one that is not in ALLOWED_HOSTS) pointing at the Django application
(using the hosts file, for example), and then request that hostname.
--
Ticket URL: <https://code.djangoproject.com/ticket/30091>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: MrkGrgsn | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by MrkGrgsn):
* Attachment "error_log.txt" added.
Django
Reporter: Mark Gregson | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Carlton Gibson):
Hi Mark. Do you have an example project you can upload demonstrating this
issue? Thanks!
--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:1>
Django
Reporter: Mark Gregson | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mark Gregson):
Hi Carlton. Not one I can easily share. I'll see if I can create a minimal
project that reproduces it.
--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:2>
Django
Reporter: Mark Gregson | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mark Gregson):
* Attachment "min_example.diff" added.
Patch to create minimal project reproducing the bug
Django
Reporter: Mark Gregson | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mark Gregson):
Okay, I've just attached a minimal working example. I've provided it as a
patch to a 'django-admin startproject' site template using Django 1.11.18.
You should just be able to do:
1. django-admin startproject mysite
2. cd mysite
3. patch -p1 < min_example.diff
In this example I've configured ALLOWED_HOSTS = ['localhost'] and added
'127.0.0.1 dummy' to my /etc/hosts file. Requesting http://dummy:8000/
reproduces the ImproperlyConfigured exception.
While producing this example I found that placing CommonMiddleware before
SessionMiddleware was also required to reproduce the bug. I'm unsure if
this is a configuration error; but I couldn't see anything about ordering
of those two middleware classes when I scanned the documentation just now.
Cheers
Mark
--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:3>
Django
Reporter: Mark Gregson | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Carlton Gibson):
Hey Mark. Super effort. Thank you. I’ll have a look at the project and get
back to you. 👍
--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:4>
Django
Reporter: Mark Gregson | Owner: Carlton
Type: | Gibson
Cleanup/optimization | Status: assigned
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: middleware | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* status: new => assigned
* component: Uncategorized => Documentation
* keywords: => middleware
* version: 1.11 => master
* owner: nobody => Carlton Gibson
* has_patch: 0 => 1
* type: Bug => Cleanup/optimization
* stage: Unreviewed => Accepted
Comment:
OK, this is a documentation issue.
Error views are wrapped with `@requires_csrf_token`, so
`SessionMiddleware` must appear before any middleware that may raise an
exception when using `CSRF_USE_SESSIONS`.
The default project template has this correct, so you have to "opt-in" to
this error.
[https://github.com/django/django/pull/10882 PR]
Thanks for the report and the project to reproduce Mark!
--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:5>
Django
CsrfViewMiddleware failure when using CSRF_USE_SESSIONS.
-------------------------------------+-------------------------------------
Reporter: Mark Gregson | Owner: Carlton
Type: | Gibson
Cleanup/optimization | Status: assigned
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: middleware | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:6>
Django
CsrfViewMiddleware failure when using CSRF_USE_SESSIONS.
-------------------------------------+-------------------------------------
Reporter: Mark Gregson | Owner: Carlton
Type: | Gibson
Cleanup/optimization | Status: assigned
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: middleware | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mark Gregson):
Thanks Carlton. Appreciate the quick review.
--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:7>
Django
CsrfViewMiddleware failure when using CSRF_USE_SESSIONS.
-------------------------------------+-------------------------------------
Reporter: Mark Gregson | Owner: Carlton
Type: | Gibson
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: middleware | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"bae66e759faee8513da4b11d3fd16b044b415bdb" bae66e75]:
{{{
#!CommitTicketReference repository=""
revision="bae66e759faee8513da4b11d3fd16b044b415bdb"
Fixed #30091 -- Doc'd middleware ordering requirements with
CSRF_USE_SESSIONS.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:9>
Django
CsrfViewMiddleware failure when using CSRF_USE_SESSIONS.
-------------------------------------+-------------------------------------
Reporter: Mark Gregson | Owner: Carlton
Type: | Gibson
Cleanup/optimization | Status: closed
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: middleware | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"89d39dc1d77338b7436abec017e392fc1bdbe3d7" 89d39dc]:
{{{
#!CommitTicketReference repository=""
revision="89d39dc1d77338b7436abec017e392fc1bdbe3d7"
[2.2.x] Fixed #30091 -- Doc'd middleware ordering requirements with
CSRF_USE_SESSIONS.
Backport of bae66e759faee8513da4b11d3fd16b044b415bdb from master.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30091#comment:8>