Fixed #24966 -- Added deployment system check for empty ALLOWED_HOSTS.

This commit is contained in:
rroskam 2015-06-16 16:08:03 -04:00 committed by Tim Graham
parent c96f11257b
commit ed514caed2
3 changed files with 26 additions and 0 deletions

View File

@ -95,6 +95,11 @@ W019 = Warning(
id='security.W019',
)
W020 = Warning(
"ALLOWED_HOSTS must not be empty in deployment.",
id='security.W020',
)
def _security_middleware():
return "django.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE_CLASSES
@ -182,3 +187,8 @@ def check_xframe_deny(app_configs, **kwargs):
settings.X_FRAME_OPTIONS == 'DENY'
)
return [] if passed_check else [W019]
@register(Tags.security, deploy=True)
def check_allowed_hosts(app_configs, **kwargs):
return [] if settings.ALLOWED_HOSTS else [W020]

View File

@ -476,6 +476,7 @@ of the :djadmin:`check` command:
``'DENY'``. The default is ``'SAMEORIGIN'``, but unless there is a good reason
for your site to serve other parts of itself in a frame, you should change
it to ``'DENY'``.
* **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment.
Sites
-----

View File

@ -482,3 +482,18 @@ class CheckDebugTest(SimpleTestCase):
@override_settings(DEBUG=False)
def test_debug_false(self):
self.assertEqual(self.func(None), [])
class CheckAllowedHostsTest(SimpleTestCase):
@property
def func(self):
from django.core.checks.security.base import check_allowed_hosts
return check_allowed_hosts
@override_settings(ALLOWED_HOSTS=[])
def test_allowed_hosts_empty(self):
self.assertEqual(self.func(None), [base.W020])
@override_settings(ALLOWED_HOSTS=['.example.com', ])
def test_allowed_hosts_set(self):
self.assertEqual(self.func(None), [])