malicious requests?
49 views
Skip to first unread message
Alex Haylock
Dec 22, 2014, 6:44:25 AM12/22/14
to django...@googlegroups.com
Are there any known attack vectors that involve appending a period/
full-stop to a sites domain name?
My Django application throws a handful of errors in production every day:
ERROR: Invalid HTTP_HOST header: 'www.example.com.'. You may need to add
u'www.example.com.' to ALLOWED_HOSTS.
(note the trailing period)
Is this malicious behaviour, or just users mistyping the URL?
Also, browsers are clearly treating the final '.' as part of the path
(as these requests are reaching my application), but Django is treating
the '.' as part of the hostname. Which is right?
--
Regards,
Alex
full-stop to a sites domain name?
My Django application throws a handful of errors in production every day:
ERROR: Invalid HTTP_HOST header: 'www.example.com.'. You may need to add
u'www.example.com.' to ALLOWED_HOSTS.
(note the trailing period)
Is this malicious behaviour, or just users mistyping the URL?
Also, browsers are clearly treating the final '.' as part of the path
(as these requests are reaching my application), but Django is treating
the '.' as part of the hostname. Which is right?
--
Regards,
Alex
Markus Holtermann
Dec 22, 2014, 6:52:39 AM12/22/14
to django...@googlegroups.com, ageo+...@mykolab.com
Hey Alex,
a trailing . in the host header is valid per RFC 3986: http://tools.ietf.org/html/rfc3986#section-3.2.2:
The rightmost domain label of a fully qualified domain name in DNS may be followed by a single "."
/Markus
Alex Haylock
Dec 22, 2014, 7:05:57 AM12/22/14
to django...@googlegroups.com, Markus Holtermann
Thanks Markus.
So, as per the RFC, are 'example.com' and 'example.com.' considered to
be the same domain, or two separate domains?
Are there any security implications if I add 'example.com.' to
ALLOWED_HOSTS to cater for these requests?
Thanks,
Alex.
On 22/12/14 11:52, Markus Holtermann wrote:
> Hey Alex,
>
> a trailing . in the host header is valid per RFC 3986:
> http://tools.ietf.org/html/rfc3986#section-3.2.2:
>
> The rightmost domain label of a fully qualified domain name in DNS
> may be followed by a single "."
>
>
> /Markus
>
> On Monday, December 22, 2014 12:44:25 PM UTC+1, Alex Haylock wrote:
>
> Are there any known attack vectors that involve appending a period/
> full-stop to a sites domain name?
>
> My Django application throws a handful of errors in production every
> day:
>
> ERROR: Invalid HTTP_HOST header: 'www.example.com.'. You may need to
> add
> u'www.example.com <http://www.example.com>.' to ALLOWED_HOSTS.
So, as per the RFC, are 'example.com' and 'example.com.' considered to
be the same domain, or two separate domains?
Are there any security implications if I add 'example.com.' to
ALLOWED_HOSTS to cater for these requests?
Thanks,
Alex.
On 22/12/14 11:52, Markus Holtermann wrote:
> Hey Alex,
>
> a trailing . in the host header is valid per RFC 3986:
> http://tools.ietf.org/html/rfc3986#section-3.2.2:
>
> The rightmost domain label of a fully qualified domain name in DNS
> may be followed by a single "."
>
>
> /Markus
>
> On Monday, December 22, 2014 12:44:25 PM UTC+1, Alex Haylock wrote:
>
> Are there any known attack vectors that involve appending a period/
> full-stop to a sites domain name?
>
> My Django application throws a handful of errors in production every
> day:
>
> ERROR: Invalid HTTP_HOST header: 'www.example.com.'. You may need to
> add
Mark Phillips
Dec 22, 2014, 8:47:54 AM12/22/14
to django users
Alex,
The trailing period could be from online promotional materials for your site. Someone may have written your URL with the trailing period inside the URL by mistake when the promotional materials were created. It may not be an attack vector from a malicious hacker, but instead, valid users just clicking on a link that contains a URL for your site with the trailing period.
--
Regards,
Alex
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/549803CE.7060208%40mykolab.com.
For more options, visit https://groups.google.com/d/optout.
Alasdair Nicol
Dec 22, 2014, 8:59:32 AM12/22/14
to django...@googlegroups.com
Hi Alex,
There is no security implication adding 'example.com.' (with trailing
dot) to your ALLOWED_HOSTS setting. There is some more information in
the ALLOWED_HOSTS setting docs.
From https://docs.djangoproject.com/en/1.7/ref/settings/#allowed-hosts
> In previous [<= 1.6.X] versions of Django, if you wanted to also
> allow the fully qualified domain name (FQDN), which some browsers
> can send inthe Host header, you had to explicitly add another
> ALLOWED_HOSTS entry that included a trailing period.
> In Django 1.7, the trailing dot is stripped when performing host
> validation, thus an entry with a trailing dot isn’t required.
cheers,
Alasdair
--
Alasdair Nicol
Developer, MEMSET
mail: alas...@memset.com
web: http://www.memset.com/
Memset Ltd., registration number 4504980.
Building 87, Dunsfold Park, Stovolds Hill, Cranleigh, Surrey, GU6 8TB, UK
There is no security implication adding 'example.com.' (with trailing
dot) to your ALLOWED_HOSTS setting. There is some more information in
the ALLOWED_HOSTS setting docs.
From https://docs.djangoproject.com/en/1.7/ref/settings/#allowed-hosts
> In previous [<= 1.6.X] versions of Django, if you wanted to also
> allow the fully qualified domain name (FQDN), which some browsers
> can send inthe Host header, you had to explicitly add another
> ALLOWED_HOSTS entry that included a trailing period.
> In Django 1.7, the trailing dot is stripped when performing host
> validation, thus an entry with a trailing dot isn’t required.
cheers,
Alasdair
Alasdair Nicol
Developer, MEMSET
mail: alas...@memset.com
web: http://www.memset.com/
Memset Ltd., registration number 4504980.
Building 87, Dunsfold Park, Stovolds Hill, Cranleigh, Surrey, GU6 8TB, UK
Alex Haylock
Dec 22, 2014, 9:46:50 AM12/22/14
to django...@googlegroups.com
Thanks Alasdair, that's really useful. I'm using v1.6.X in production,
which makes sense based on your email.
Alex.
which makes sense based on your email.
Alex.
Fergus Cameron
Dec 22, 2014, 7:03:35 PM12/22/14
to django...@googlegroups.com
On 22/12/2014, Alasdair Nicol <alas...@memset.com> wrote:
> [ ... ]
one is missing rather than removing it when one is present. I suppose
convention superceeds, oh well.
> [ ... ]
> > In Django 1.7, the trailing dot is stripped when performing host
> > validation, thus an entry with a trailing dot isn’t required.
How odd, since the canonical representation would be to add a dot when
> > validation, thus an entry with a trailing dot isn’t required.
one is missing rather than removing it when one is present. I suppose
convention superceeds, oh well.
Reply all
Reply to author
Forward
0 new messages