Fixed #28693 -- Fixed DisallowedHost crash in CsrfViewMiddleware when an HTTPS request has an invalid host.

[r3m0t]

https://code.djangoproject.com/ticket/28693

[timgraham]

A test in tests/csrf_tests/tests.py is probably appropriate (or perhaps more appropriate than the one for bad_request) consider that's where the problem is.

[timgraham]

I'm not sure that it's important to backport the fix. It seems like it would only affect someone who isn't following the deployment advice,

You should also configure the Web server that sits in front of Django to validate the host. It should respond with a static error page or ignore requests for incorrect hosts instead of forwarding the request to Django. This way you’ll avoid spurious errors in your Django logs (or emails if you have error reporting configured that way).

[timgraham]

if the Host header isn't in ALLOWED_HOSTS.

[r3m0t]

@timgraham fixed

[timgraham]

Did you see and consider my comment, "A test in tests/csrf_tests/tests.py is probably appropriate (or perhaps more appropriate than the one for bad_request) consider that's where the problem is."

[r3m0t]

No, I will see if that's possible

[r3m0t]

@timgraham yep, fixed (for real this time)

[gnprice]

Thanks for fixing this! (I reported the original bug.)

The fix looks basically reasonable to me, but I don't have enough context on this code to say with confidence if it's the right way to do it.

I am puzzled by one of the new tests -- see below.

[gnprice]

I'm not sure I totally understand this test.

Does it actually involve the bad-request page? It doesn't look like it, but the docstring says so.

Why is the status code 200, rather than 400? This looks to me like a request with an HTTP_HOST that doesn't match ALLOWED_HOSTS.

[r3m0t]

No, it doesn't. requires_csrf_token(token_view) is a standin for the default 400 handler, but it gives status 200. I will improve the docstring.

[gnprice]

Much clearer, thanks!