Django 的 SuspiciousOperation 无效的 HTTP_HOST 标头 [英] Django's SuspiciousOperation Invalid HTTP_HOST header
问题描述
升级到 Django 1.5 后,我开始收到这样的错误:
After upgrading to Django 1.5, I started getting errors like this:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py", line 92, in get_response
response = middleware_method(request)
File "/usr/local/lib/python2.7/dist-packages/django/middleware/common.py", line 57, in process_request
host = request.get_host()
File "/usr/local/lib/python2.7/dist-packages/django/http/request.py", line 72, in get_host
"Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host)
SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): www.google.com
<WSGIRequest
path:/,
GET:<QueryDict: {}>,
POST:<QueryDict: {}>,
COOKIES:{},
META:{'CONTENT_LENGTH': '',
'CONTENT_TYPE': '',
'DOCUMENT_ROOT': '/etc/nginx/html',
'HTTP_ACCEPT': 'text/html',
'HTTP_HOST': 'www.google.com',
'HTTP_PROXY_CONNECTION': 'close',
'HTTP_USER_AGENT': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'PATH_INFO': u'/',
'QUERY_STRING': '',
'REMOTE_ADDR': '210.245.91.104',
'REMOTE_PORT': '49347',
'REQUEST_METHOD': 'GET',
'REQUEST_URI': '/',
u'SCRIPT_NAME': u'',
'SERVER_NAME': 'www.derekkwok.net',
'SERVER_PORT': '80',
'SERVER_PROTOCOL': 'HTTP/1.0',
'uwsgi.node': 'derekkwok',
'uwsgi.version': '1.4.4',
'wsgi.errors': <open file 'wsgi_errors', mode 'w' at 0xb6d99c28>,
'wsgi.file_wrapper': <built-in function uwsgi_sendfile>,
'wsgi.input': <uwsgi._Input object at 0x953e698>,
'wsgi.multiprocess': True,
'wsgi.multithread': False,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.version': (1, 0)}>
我在 settings.py 文件中设置了 ALLOWED_HOSTS = ['.derekkwok.net'].
I've set ALLOWED_HOSTS = ['.derekkwok.net'] in my settings.py file.
这里发生了什么?有人冒充 Google 访问我的网站吗?还是有人错误地设置了他们的 HTTP_HOST 标头是一种良性案例?
What is going on here? It someone pretending to be Google and accessing my site? Or is it a benign case of someone setting their HTTP_HOST header incorrectly?
推荐答案
如果你的 ALLOWED_HOSTS 设置正确,则可能有人通过欺骗标题来探测您的站点是否存在漏洞.
If your ALLOWED_HOSTS is set correctly, then it is possible someone is probing your site for the vulnerability by spoofing the header.
Django 开发人员现在正在讨论将其从 500 内部服务器错误更改为 400 响应.请参阅这张票.
There is discussion right now by the Django developers to change this from a 500 internal server error to a 400 response. See this ticket.
这篇关于Django 的 SuspiciousOperation 无效的 HTTP_HOST 标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
