Fixed #31010 -- Allowed subdomains of localhost in the Host header by default when DEBUG=True.

This commit is contained in:
Gordon Pendleton 2019-11-23 21:17:31 -05:00 committed by Mariusz Felisiak
parent 3930ec1bf2
commit adb9661789
4 changed files with 10 additions and 4 deletions

View File

@ -108,7 +108,7 @@ class HttpRequest:
# Allow variants of localhost if ALLOWED_HOSTS is empty and DEBUG=True. # Allow variants of localhost if ALLOWED_HOSTS is empty and DEBUG=True.
allowed_hosts = settings.ALLOWED_HOSTS allowed_hosts = settings.ALLOWED_HOSTS
if settings.DEBUG and not allowed_hosts: if settings.DEBUG and not allowed_hosts:
allowed_hosts = ['localhost', '127.0.0.1', '[::1]'] allowed_hosts = ['.localhost', '127.0.0.1', '[::1]']
domain, port = split_domain_port(host) domain, port = split_domain_port(host)
if domain and validate_host(domain, allowed_hosts): if domain and validate_host(domain, allowed_hosts):

View File

@ -90,7 +90,7 @@ list, the :meth:`django.http.HttpRequest.get_host()` method will raise
:exc:`~django.core.exceptions.SuspiciousOperation`. :exc:`~django.core.exceptions.SuspiciousOperation`.
When :setting:`DEBUG` is ``True`` and ``ALLOWED_HOSTS`` is empty, the host When :setting:`DEBUG` is ``True`` and ``ALLOWED_HOSTS`` is empty, the host
is validated against ``['localhost', '127.0.0.1', '[::1]']``. is validated against ``['.localhost', '127.0.0.1', '[::1]']``.
``ALLOWED_HOSTS`` is also :ref:`checked when running tests ``ALLOWED_HOSTS`` is also :ref:`checked when running tests
<topics-testing-advanced-multiple-hosts>`. <topics-testing-advanced-multiple-hosts>`.
@ -99,6 +99,11 @@ This validation only applies via :meth:`~django.http.HttpRequest.get_host()`;
if your code accesses the ``Host`` header directly from ``request.META`` you if your code accesses the ``Host`` header directly from ``request.META`` you
are bypassing this security protection. are bypassing this security protection.
.. versionchanged:: 3.1
If ``ALLOWED_HOSTS`` is empty and ``DEBUG=True``, subdomains of localhost
were allowed.
.. setting:: APPEND_SLASH .. setting:: APPEND_SLASH
``APPEND_SLASH`` ``APPEND_SLASH``

View File

@ -222,7 +222,8 @@ Pagination
Requests and Responses Requests and Responses
~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
* ... * If :setting:`ALLOWED_HOSTS` is empty and ``DEBUG=True``, subdomains of
localhost are now allowed in the ``Host`` header, e.g. ``static.localhost``.
Serialization Serialization
~~~~~~~~~~~~~ ~~~~~~~~~~~~~

View File

@ -758,7 +758,7 @@ class HostValidationTests(SimpleTestCase):
If ALLOWED_HOSTS is empty and DEBUG is True, variants of localhost are If ALLOWED_HOSTS is empty and DEBUG is True, variants of localhost are
allowed. allowed.
""" """
valid_hosts = ['localhost', '127.0.0.1', '[::1]'] valid_hosts = ['localhost', 'subdomain.localhost', '127.0.0.1', '[::1]']
for host in valid_hosts: for host in valid_hosts:
request = HttpRequest() request = HttpRequest()
request.META = {'HTTP_HOST': host} request.META = {'HTTP_HOST': host}