From ed514caed20995814712fd6c9e9c4120b4ac64be Mon Sep 17 00:00:00 2001 From: rroskam Date: Tue, 16 Jun 2015 16:08:03 -0400 Subject: [PATCH] Fixed #24966 -- Added deployment system check for empty ALLOWED_HOSTS. --- django/core/checks/security/base.py | 10 ++++++++++ docs/ref/checks.txt | 1 + tests/check_framework/test_security.py | 15 +++++++++++++++ 3 files changed, 26 insertions(+) diff --git a/django/core/checks/security/base.py b/django/core/checks/security/base.py index f740b63c7b..eacbb90843 100644 --- a/django/core/checks/security/base.py +++ b/django/core/checks/security/base.py @@ -95,6 +95,11 @@ W019 = Warning( id='security.W019', ) +W020 = Warning( + "ALLOWED_HOSTS must not be empty in deployment.", + id='security.W020', +) + def _security_middleware(): return "django.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE_CLASSES @@ -182,3 +187,8 @@ def check_xframe_deny(app_configs, **kwargs): settings.X_FRAME_OPTIONS == 'DENY' ) return [] if passed_check else [W019] + + +@register(Tags.security, deploy=True) +def check_allowed_hosts(app_configs, **kwargs): + return [] if settings.ALLOWED_HOSTS else [W020] diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt index 05a2e6e88f..3f81720c72 100644 --- a/docs/ref/checks.txt +++ b/docs/ref/checks.txt @@ -476,6 +476,7 @@ of the :djadmin:`check` command: ``'DENY'``. The default is ``'SAMEORIGIN'``, but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to ``'DENY'``. +* **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment. Sites ----- diff --git a/tests/check_framework/test_security.py b/tests/check_framework/test_security.py index 42e186d639..adf1af952c 100644 --- a/tests/check_framework/test_security.py +++ b/tests/check_framework/test_security.py @@ -482,3 +482,18 @@ class CheckDebugTest(SimpleTestCase): @override_settings(DEBUG=False) def test_debug_false(self): self.assertEqual(self.func(None), []) + + +class CheckAllowedHostsTest(SimpleTestCase): + @property + def func(self): + from django.core.checks.security.base import check_allowed_hosts + return check_allowed_hosts + + @override_settings(ALLOWED_HOSTS=[]) + def test_allowed_hosts_empty(self): + self.assertEqual(self.func(None), [base.W020]) + + @override_settings(ALLOWED_HOSTS=['.example.com', ]) + def test_allowed_hosts_set(self): + self.assertEqual(self.func(None), [])