diff --git a/django/http/request.py b/django/http/request.py index 933af0f13ea..5c567b9c467 100644 --- a/django/http/request.py +++ b/django/http/request.py @@ -108,7 +108,7 @@ class HttpRequest: # Allow variants of localhost if ALLOWED_HOSTS is empty and DEBUG=True. allowed_hosts = settings.ALLOWED_HOSTS if settings.DEBUG and not allowed_hosts: - allowed_hosts = ['localhost', '127.0.0.1', '[::1]'] + allowed_hosts = ['.localhost', '127.0.0.1', '[::1]'] domain, port = split_domain_port(host) if domain and validate_host(domain, allowed_hosts): diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 6c8ea9b7626..3c360cf2841 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -90,7 +90,7 @@ list, the :meth:`django.http.HttpRequest.get_host()` method will raise :exc:`~django.core.exceptions.SuspiciousOperation`. When :setting:`DEBUG` is ``True`` and ``ALLOWED_HOSTS`` is empty, the host -is validated against ``['localhost', '127.0.0.1', '[::1]']``. +is validated against ``['.localhost', '127.0.0.1', '[::1]']``. ``ALLOWED_HOSTS`` is also :ref:`checked when running tests `. @@ -99,6 +99,11 @@ This validation only applies via :meth:`~django.http.HttpRequest.get_host()`; if your code accesses the ``Host`` header directly from ``request.META`` you are bypassing this security protection. +.. versionchanged:: 3.1 + + If ``ALLOWED_HOSTS`` is empty and ``DEBUG=True``, subdomains of localhost + were allowed. + .. setting:: APPEND_SLASH ``APPEND_SLASH`` diff --git a/docs/releases/3.1.txt b/docs/releases/3.1.txt index 4c8cc56797f..631978d0acc 100644 --- a/docs/releases/3.1.txt +++ b/docs/releases/3.1.txt @@ -222,7 +222,8 @@ Pagination Requests and Responses ~~~~~~~~~~~~~~~~~~~~~~ -* ... +* If :setting:`ALLOWED_HOSTS` is empty and ``DEBUG=True``, subdomains of + localhost are now allowed in the ``Host`` header, e.g. ``static.localhost``. Serialization ~~~~~~~~~~~~~ diff --git a/tests/requests/tests.py b/tests/requests/tests.py index 3320c59ba3a..c57d5caae2d 100644 --- a/tests/requests/tests.py +++ b/tests/requests/tests.py @@ -758,7 +758,7 @@ class HostValidationTests(SimpleTestCase): If ALLOWED_HOSTS is empty and DEBUG is True, variants of localhost are allowed. """ - valid_hosts = ['localhost', '127.0.0.1', '[::1]'] + valid_hosts = ['localhost', 'subdomain.localhost', '127.0.0.1', '[::1]'] for host in valid_hosts: request = HttpRequest() request.META = {'HTTP_HOST': host}