p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #19987 -- Disabled host validation when DEBUG=True. 

The documentation promises that host validation is disabled when
DEBUG=True, that all hostnames are accepted. Domains not compliant with
RFC 1034/1035 were however being validated, this validation has now been
removed when DEBUG=True.

Additionally, when DEBUG=False a more detailed SuspiciousOperation
exception message is provided when host validation fails because the
hostname is not RFC 1034/1035 compliant.
This commit is contained in:
Will Hardy 2013-03-27 17:37:08 +01:00 committed by Tim Graham
parent acd1d439fd
commit 1c3c21b38d
2 changed files with 23 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
django/http/request.py
View File

@ -68,14 +68,19 @@ class HttpRequest(object):
if server_port != ('443' if self.is_secure() else '80'): if server_port != ('443' if self.is_secure() else '80'):
host = '%s:%s' % (host, server_port) host = '%s:%s' % (host, server_port)
allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS # There is no hostname validation when DEBUG=True
if settings.DEBUG:
return host
domain, port = split_domain_port(host) domain, port = split_domain_port(host)
if domain and validate_host(domain, allowed_hosts): if domain and validate_host(domain, settings.ALLOWED_HOSTS):
return host return host
else: else:
msg = "Invalid HTTP_HOST header: %r." % host msg = "Invalid HTTP_HOST header: %r." % host
if domain: if domain:
msg += "You may need to add %r to ALLOWED_HOSTS." % domain msg += "You may need to add %r to ALLOWED_HOSTS." % domain
else:
msg += "The domain name provided is not valid according to RFC 1034/1035"
raise DisallowedHost(msg) raise DisallowedHost(msg)
def get_full_path(self): def get_full_path(self):

16
tests/requests/tests.py
View File

@ -620,12 +620,20 @@ class HostValidationTests(SimpleTestCase):
} }
self.assertEqual(request.get_host(), 'example.com') self.assertEqual(request.get_host(), 'example.com')
# Invalid hostnames would normally raise a SuspiciousOperation,
# but we have DEBUG=True, so this check is disabled.
request = HttpRequest()
request.META = {
'HTTP_HOST': "invalid_hostname.com",
}
self.assertEqual(request.get_host(), "invalid_hostname.com")
@override_settings(ALLOWED_HOSTS=[]) @override_settings(ALLOWED_HOSTS=[])
def test_get_host_suggestion_of_allowed_host(self): def test_get_host_suggestion_of_allowed_host(self):
"""get_host() makes helpful suggestions if a valid-looking host is not in ALLOWED_HOSTS.""" """get_host() makes helpful suggestions if a valid-looking host is not in ALLOWED_HOSTS."""
msg_invalid_host = "Invalid HTTP_HOST header: %r." msg_invalid_host = "Invalid HTTP_HOST header: %r."
msg_suggestion = msg_invalid_host + "You may need to add %r to ALLOWED_HOSTS." msg_suggestion = msg_invalid_host + "You may need to add %r to ALLOWED_HOSTS."
msg_suggestion2 = msg_invalid_host + "The domain name provided is not valid according to RFC 1034/1035"
for host in [ # Valid-looking hosts for host in [ # Valid-looking hosts
'example.com', 'example.com',
@ -664,6 +672,14 @@ class HostValidationTests(SimpleTestCase):
request.get_host request.get_host
) )
request = HttpRequest()
request.META = {'HTTP_HOST': "invalid_hostname.com"}
self.assertRaisesMessage(
SuspiciousOperation,
msg_suggestion2 % "invalid_hostname.com",
request.get_host
)
@skipIf(connection.vendor == 'sqlite' @skipIf(connection.vendor == 'sqlite'
and connection.settings_dict['TEST_NAME'] in (None, '', ':memory:'), and connection.settings_dict['TEST_NAME'] in (None, '', ':memory:'),