[1.3.X] Fixed a security issue in get_host.

apollo13 · apollo13 · commit 2da4ace0bc1b · 2012-12-03T13:11:34.000+01:00
Full disclosure and new release forthcoming.
diff --git a/django/http/__init__.py b/django/http/__init__.py
@@ -129,6 +129,8 @@ def __init__(self, *args, **kwargs):
 RESERVED_CHARS="!*'();:@&=+$,/?%#[]"
 
 absolute_http_url_re = re.compile(r"^https?://", re.I)
+host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$")
+
 
 class Http404(Exception):
     pass
@@ -167,7 +169,7 @@ def get_host(self):
                 host = '%s:%s' % (host, server_port)
 
         # Disallow potentially poisoned hostnames.
-        if set(';/?@&=+$,').intersection(host):
+        if not host_validation_re.match(host.lower()):
             raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host)
 
         return host
diff --git a/tests/regressiontests/requests/tests.py b/tests/regressiontests/requests/tests.py
@@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 import time
 from datetime import datetime, timedelta
 from StringIO import StringIO
@@ -110,13 +111,15 @@ def test_http_get_host(self):
                 '12.34.56.78:443',
                 '[2001:19f0:feee::dead:beef:cafe]',
                 '[2001:19f0:feee::dead:beef:cafe]:8080',
+                'xn--4ca9at.com', # Punnycode for öäü.com
             ]
 
             poisoned_hosts = [
                 'example.com@evil.tld',
                 'example.com:dr.frankenstein@evil.tld',
-                'example.com:someone@somestie.com:80',
-                'example.com:80/badpath'
+                'example.com:dr.frankenstein@evil.tld:80',
+                'example.com:80/badpath',
+                'example.com: recovermypassword.com',
             ]
 
             for host in legit_hosts:
@@ -187,13 +190,15 @@ def test_http_get_host_with_x_forwarded_host(self):
                 '12.34.56.78:443',
                 '[2001:19f0:feee::dead:beef:cafe]',
                 '[2001:19f0:feee::dead:beef:cafe]:8080',
+                'xn--4ca9at.com', # Punnycode for öäü.com
             ]
 
             poisoned_hosts = [
                 'example.com@evil.tld',
                 'example.com:dr.frankenstein@evil.tld',
                 'example.com:dr.frankenstein@evil.tld:80',
-                'example.com:80/badpath'
+                'example.com:80/badpath',
+                'example.com: recovermypassword.com',
             ]
 
             for host in legit_hosts:
