diff --git a/src/admin/middleware.py b/src/admin/middleware.py index eafab188..e4b878f8 100644 --- a/src/admin/middleware.py +++ b/src/admin/middleware.py @@ -27,22 +27,33 @@ class TrustedHostMiddleware(MiddlewareMixin): """ def __call__(self, request): - # Headers to check for the host value, in priority order. - # X-Forwarded-Host is typically set by proxies. - # HTTP_HOST is the standard header sent by clients. - # HTTP_ORIGIN and HTTP_REFERER can offer fallbacks. headers_to_check = [ - 'HTTP_X_FORWARDED_HOST', 'HTTP_HOST', 'HTTP_ORIGIN', 'HTTP_REFERER' + ('HTTP_X_FORWARDED_HOST', 'X-Forwarded-Host'), + ('HTTP_HOST', 'Host'), + ('HTTP_ORIGIN', 'Origin'), + ('HTTP_REFERER', 'Referer') ] - for header in headers_to_check: - host_value = request.META.get(header, '') + host_name = None + for meta_key, header in headers_to_check: + # Prefer META if defined; fallback to request.headers + host_value = (request.META.get(meta_key) + or request.headers.get(header, '')) # Extract the hostname, excluding protocol and path. host_name = self.extract_hostname(host_value) - # If extracted host is allowed, set it as HTTP_HOST - if self.is_allowed_host(host_name): + if host_name and self.is_allowed_host(host_name): request.META['HTTP_HOST'] = host_name break + host_name = None + + if not host_name: + # Fallback to using host from request URL if no matching header + fallback_host = (request.build_absolute_uri() + .split('//')[1].split('/')[0]) + fallback_host_name = self.extract_hostname(fallback_host) + if self.is_allowed_host(fallback_host_name): + request.META['HTTP_HOST'] = fallback_host_name + return self.get_response(request) def extract_hostname(self, value):