2

Django team considers host header poisoning (CVE-2011-4139 and CVE-2012-4520) as a security issue that must be resolved at a framework level. Pyramid, for instance (that is, its underlying low-level request wrapper—webob) does not consider this as an issue.

On production & development machines I have nginx which seems to pass correct SERVER_NAME even if Host header contains complete garbage, and responds with 444 No response if there is no matching server_name.

Question: should I worry about Host header poisoning in such case, if I use SERVER_NAME to build absolute URLs?

Jonathan Vanasco
  • 15,111
  • 10
  • 48
  • 72
ASKSBADQUESTIONS
  • 58
  • 5

1 Answers1

2

If you use nginx to sanitize the HTTP_HOST and SERVER_NAME fields, you are doing the right thing and do not need to worry about Host header poisining.

Like Django, Pyramid considers a large part of this the task of the WSGI host environment. And nginx does an excellent, battle-hardened job of sanitizing the HTTP request information.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
  • I‘d say, “Django considers this as the task of itself at some extent” :) – ASKSBADQUESTIONS Mar 23 '13 at 14:32
  • 1
    @ASKSBADQUESTIONS: see [the CVE-2012-4520 advisory](https://www.djangoproject.com/weblog/2012/oct/17/security/): *Some attacks against this are beyond Django's ability to control, and require the web server to be properly configured*. – Martijn Pieters Mar 23 '13 at 14:34
  • That‘s why it shouldn‘t be Django‘s problem. It is bad configuration, not framework (maybe Django developers have their own opinion on this, who knows). P.S. I mentioned that CVE in question ;) Plus, I saw (somewhere, do not remember where) bad fix-security-of-other-project changes that made code a) hard to read & change b) insecure. What do you think? – ASKSBADQUESTIONS Mar 23 '13 at 14:44