diff --git a/django/http/request.py b/django/http/request.py index e222081450b..9f9f32b1b44 100644 --- a/django/http/request.py +++ b/django/http/request.py @@ -68,14 +68,19 @@ class HttpRequest(object): if server_port != ('443' if self.is_secure() else '80'): host = '%s:%s' % (host, server_port) - allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS + # There is no hostname validation when DEBUG=True + if settings.DEBUG: + return host + domain, port = split_domain_port(host) - if domain and validate_host(domain, allowed_hosts): + if domain and validate_host(domain, settings.ALLOWED_HOSTS): return host else: msg = "Invalid HTTP_HOST header: %r." % host if domain: msg += "You may need to add %r to ALLOWED_HOSTS." % domain + else: + msg += "The domain name provided is not valid according to RFC 1034/1035" raise DisallowedHost(msg) def get_full_path(self): diff --git a/tests/requests/tests.py b/tests/requests/tests.py index 8c56e48f582..5bd3e5141f9 100644 --- a/tests/requests/tests.py +++ b/tests/requests/tests.py @@ -620,12 +620,20 @@ class HostValidationTests(SimpleTestCase): } self.assertEqual(request.get_host(), 'example.com') + # Invalid hostnames would normally raise a SuspiciousOperation, + # but we have DEBUG=True, so this check is disabled. + request = HttpRequest() + request.META = { + 'HTTP_HOST': "invalid_hostname.com", + } + self.assertEqual(request.get_host(), "invalid_hostname.com") @override_settings(ALLOWED_HOSTS=[]) def test_get_host_suggestion_of_allowed_host(self): """get_host() makes helpful suggestions if a valid-looking host is not in ALLOWED_HOSTS.""" msg_invalid_host = "Invalid HTTP_HOST header: %r." msg_suggestion = msg_invalid_host + "You may need to add %r to ALLOWED_HOSTS." + msg_suggestion2 = msg_invalid_host + "The domain name provided is not valid according to RFC 1034/1035" for host in [ # Valid-looking hosts 'example.com', @@ -664,6 +672,14 @@ class HostValidationTests(SimpleTestCase): request.get_host ) + request = HttpRequest() + request.META = {'HTTP_HOST': "invalid_hostname.com"} + self.assertRaisesMessage( + SuspiciousOperation, + msg_suggestion2 % "invalid_hostname.com", + request.get_host + ) + @skipIf(connection.vendor == 'sqlite' and connection.settings_dict['TEST_NAME'] in (None, '', ':memory:'),