Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed #19987 All host validation disabled when DEBUG=True. #996

Closed
wants to merge 1 commit into from
Closed

Fixed #19987 All host validation disabled when DEBUG=True. #996

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
9 changes: 7 additions & 2 deletions django/http/request.py
View file
Open in desktop
Expand Up @@ -64,14 +64,19 @@ def get_host(self):
if server_port != ('443' if self.is_secure() else '80'): if server_port != ('443' if self.is_secure() else '80'):
host = '%s:%s' % (host, server_port) host = '%s:%s' % (host, server_port)


allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS # There is no hostname validation when DEBUG=True
if settings.DEBUG:
return host

domain, port = split_domain_port(host) domain, port = split_domain_port(host)
if domain and validate_host(domain, allowed_hosts): if domain and validate_host(domain, settings.ALLOWED_HOSTS):
return host return host
else: else:
msg = "Invalid HTTP_HOST header: %r." % host msg = "Invalid HTTP_HOST header: %r." % host
if domain: if domain:
msg += "You may need to add %r to ALLOWED_HOSTS." % domain msg += "You may need to add %r to ALLOWED_HOSTS." % domain
else:
msg += "The domain name provided is not valid according to RFC 1034/1035"
raise SuspiciousOperation(msg) raise SuspiciousOperation(msg)


def get_full_path(self): def get_full_path(self):
Expand Down
17 changes: 17 additions & 0 deletions tests/requests/tests.py
View file
Open in desktop
Expand Up @@ -286,12 +286,21 @@ def test_host_validation_disabled_in_debug_mode(self):
} }
self.assertEqual(request.get_host(), 'example.com') self.assertEqual(request.get_host(), 'example.com')


# Invalid hostnames would normally raise a SuspiciousOperation,
# but we have DEBUG=True, so this check is disabled.
request = HttpRequest()
request.META = {
'HTTP_HOST': "invalid_hostname.com",
}
self.assertEqual(request.get_host(), "invalid_hostname.com")



@override_settings(ALLOWED_HOSTS=[]) @override_settings(ALLOWED_HOSTS=[])
def test_get_host_suggestion_of_allowed_host(self): def test_get_host_suggestion_of_allowed_host(self):
"""get_host() makes helpful suggestions if a valid-looking host is not in ALLOWED_HOSTS.""" """get_host() makes helpful suggestions if a valid-looking host is not in ALLOWED_HOSTS."""
msg_invalid_host = "Invalid HTTP_HOST header: %r." msg_invalid_host = "Invalid HTTP_HOST header: %r."
msg_suggestion = msg_invalid_host + "You may need to add %r to ALLOWED_HOSTS." msg_suggestion = msg_invalid_host + "You may need to add %r to ALLOWED_HOSTS."
msg_suggestion2 = msg_invalid_host + "The domain name provided is not valid according to RFC 1034/1035"


for host in [ # Valid-looking hosts for host in [ # Valid-looking hosts
'example.com', 'example.com',
Expand Down Expand Up @@ -336,6 +345,14 @@ def test_get_host_suggestion_of_allowed_host(self):
request.get_host request.get_host
) )


request = HttpRequest()
request.META = {'HTTP_HOST': "invalid_hostname.com"}
self.assertRaisesMessage(
SuspiciousOperation,
msg_suggestion2 % "invalid_hostname.com",
request.get_host
)



def test_near_expiration(self): def test_near_expiration(self):
"Cookie will expire when an near expiration time is provided" "Cookie will expire when an near expiration time is provided"
Expand Down