f351b05031
Several templates used a variable set by the user (the request host header). This led to a vulnerability where an attacker could inject their domain name into these templates (i.e., activation emails). This patch fixes this vulnerability. LMS-532
18 lines
574 B
Python
18 lines
574 B
Python
""" Utility functions related to HTTP requests """
|
|
from django.conf import settings
|
|
|
|
|
|
def safe_get_host(request):
|
|
"""
|
|
Get the host name for this request, as safely as possible.
|
|
|
|
If ALLOWED_HOSTS is properly set, this calls request.get_host;
|
|
otherwise, this returns whatever settings.SITE_NAME is set to.
|
|
|
|
This ensures we will never accept an untrusted value of get_host()
|
|
"""
|
|
if isinstance(settings.ALLOWED_HOSTS, (list, tuple)) and '*' not in settings.ALLOWED_HOSTS:
|
|
return request.get_host()
|
|
else:
|
|
return settings.SITE_NAME
|