innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Fixed #20338 -- Stripped ending dot during host validation 

Thanks manfre for the report and Timo Graham for the review.
This commit is contained in:
Claude Paroz 2013-10-24 19:34:40 +02:00
parent 08c9ab5a0f
commit c052699be3
3 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
django/http/request.py
View File

@ -520,6 +520,8 @@ def validate_host(host, allowed_hosts):
Return ``True`` for a valid host, ``False`` otherwise. Return ``True`` for a valid host, ``False`` otherwise.
""" """
host = host[:-1] if host.endswith('.') else host
for pattern in allowed_hosts: for pattern in allowed_hosts:
pattern = pattern.lower() pattern = pattern.lower()
match = ( match = (

14
docs/ref/settings.txt
View File

@ -79,18 +79,22 @@ responsible to provide your own validation of the ``Host`` header (perhaps in a
middleware; if so this middleware must be listed first in middleware; if so this middleware must be listed first in
:setting:`MIDDLEWARE_CLASSES`). :setting:`MIDDLEWARE_CLASSES`).
.. note:: .. versionchanged:: 1.7
If you want to also allow the `fully qualified domain name (FQDN)`_, which In previous versions of Django, if you wanted to also allow the
some browsers can send in the Host header, you must explicitly add another `fully qualified domain name (FQDN)`_, which some browsers can send in the
ALLOWED_HOSTS entry that includes a trailing period. This entry can also be ``Host`` header, you had to explicitly add another ``ALLOWED_HOSTS`` entry
a subdomain wildcard:: that included a trailing period. This entry could also be a subdomain
wildcard::
ALLOWED_HOSTS = [ ALLOWED_HOSTS = [
'.example.com', # Allow domain and subdomains '.example.com', # Allow domain and subdomains
'.example.com.', # Also allow FQDN and subdomains '.example.com.', # Also allow FQDN and subdomains
] ]
In Django 1.7, the trailing dot is stripped when performing host validation,
thus an entry with a trailing dot isn't required.
.. _`fully qualified domain name (FQDN)`: http://en.wikipedia.org/wiki/Fully_qualified_domain_name .. _`fully qualified domain name (FQDN)`: http://en.wikipedia.org/wiki/Fully_qualified_domain_name
If the ``Host`` header (or ``X-Forwarded-Host`` if If the ``Host`` header (or ``X-Forwarded-Host`` if

4
tests/requests/tests.py
View File

@ -529,6 +529,8 @@ class HostValidationTests(SimpleTestCase):
'anything.multitenant.com', 'anything.multitenant.com',
'multitenant.com', 'multitenant.com',
'insensitive.com', 'insensitive.com',
'example.com.',
'example.com.:80',
] ]
for host in legit_hosts: for host in legit_hosts:
@ -539,7 +541,7 @@ class HostValidationTests(SimpleTestCase):
request.get_host() request.get_host()
# Poisoned host headers are rejected as suspicious # Poisoned host headers are rejected as suspicious
for host in chain(self.poisoned_hosts, ['other.com']): for host in chain(self.poisoned_hosts, ['other.com', 'example.com..']):
with self.assertRaises(SuspiciousOperation): with self.assertRaises(SuspiciousOperation):
request = HttpRequest() request = HttpRequest()
request.META = { request.META = {