Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Fixed #19987 All host validation disabled when DEBUG=True. #996

Closed
wants to merge 1 commit into from

2 participants

@willhardy

The documentation promises that host validation is disabled when
DEBUG=True, that all hostnames are accepted. Domains not compliant with
RFC 1034/1035 were however being validated, this validation has now been
removed when DEBUG=True.

Additionally, when DEBUG=False a more detailed SuspiciousOperation
exception message is provided when host validation fails because the
hostname is not RFC 1034/1035 compliant.

Will Hardy All host validation disabled when DEBUG=True.
The documentation promises that host validation is disabled when
DEBUG=True, that all hostnames are accepted. Domains not compliant with
RFC 1034/1035 were however being validated, this validation has now been
removed when DEBUG=True.

Additionally, when DEBUG=False a more detailed SuspiciousOperation
exception message is provided when host validation fails because the
hostname is not RFC 1034/1035 compliant.
c842924
@timgraham
Owner

merged in 1c3c21b - thanks!

@timgraham timgraham closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 27, 2013
  1. All host validation disabled when DEBUG=True.

    Will Hardy authored
    The documentation promises that host validation is disabled when
    DEBUG=True, that all hostnames are accepted. Domains not compliant with
    RFC 1034/1035 were however being validated, this validation has now been
    removed when DEBUG=True.
    
    Additionally, when DEBUG=False a more detailed SuspiciousOperation
    exception message is provided when host validation fails because the
    hostname is not RFC 1034/1035 compliant.
This page is out of date. Refresh to see the latest.
Showing with 24 additions and 2 deletions.
  1. +7 −2 django/http/request.py
  2. +17 −0 tests/requests/tests.py
View
9 django/http/request.py
@@ -64,14 +64,19 @@ def get_host(self):
if server_port != ('443' if self.is_secure() else '80'):
host = '%s:%s' % (host, server_port)
- allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS
+ # There is no hostname validation when DEBUG=True
+ if settings.DEBUG:
+ return host
+
domain, port = split_domain_port(host)
- if domain and validate_host(domain, allowed_hosts):
+ if domain and validate_host(domain, settings.ALLOWED_HOSTS):
return host
else:
msg = "Invalid HTTP_HOST header: %r." % host
if domain:
msg += "You may need to add %r to ALLOWED_HOSTS." % domain
+ else:
+ msg += "The domain name provided is not valid according to RFC 1034/1035"
raise SuspiciousOperation(msg)
def get_full_path(self):
View
17 tests/requests/tests.py
@@ -286,12 +286,21 @@ def test_host_validation_disabled_in_debug_mode(self):
}
self.assertEqual(request.get_host(), 'example.com')
+ # Invalid hostnames would normally raise a SuspiciousOperation,
+ # but we have DEBUG=True, so this check is disabled.
+ request = HttpRequest()
+ request.META = {
+ 'HTTP_HOST': "invalid_hostname.com",
+ }
+ self.assertEqual(request.get_host(), "invalid_hostname.com")
+
@override_settings(ALLOWED_HOSTS=[])
def test_get_host_suggestion_of_allowed_host(self):
"""get_host() makes helpful suggestions if a valid-looking host is not in ALLOWED_HOSTS."""
msg_invalid_host = "Invalid HTTP_HOST header: %r."
msg_suggestion = msg_invalid_host + "You may need to add %r to ALLOWED_HOSTS."
+ msg_suggestion2 = msg_invalid_host + "The domain name provided is not valid according to RFC 1034/1035"
for host in [ # Valid-looking hosts
'example.com',
@@ -336,6 +345,14 @@ def test_get_host_suggestion_of_allowed_host(self):
request.get_host
)
+ request = HttpRequest()
+ request.META = {'HTTP_HOST': "invalid_hostname.com"}
+ self.assertRaisesMessage(
+ SuspiciousOperation,
+ msg_suggestion2 % "invalid_hostname.com",
+ request.get_host
+ )
+
def test_near_expiration(self):
"Cookie will expire when an near expiration time is provided"
Something went wrong with that request. Please try again.