Validating host header

[lieryan]

This is one way this issue could be addressed in Starlette. This basically change the type of the headers value for host to a marker class that inherits from bytes (TrustedHost) once the header is validated by TrustedHostMiddleware. This may cause compatibility issues with middlewares/applications that expects host to be exactly bytes.

There are other approaches this could have been addressed, such as:

• adding the validation marker into the scope, e.g. scope["host_validated"] = "blah.com"
• simply validating host against a regex pattern (must only contain characters that are allowed for a domain name), you can still be redirected to an unexpected malicious domain, but at least it would prevent most of the funkier attacks
• since raising a hard error here is necessarily backwards incompatible, maybe this should just print a warning instead for a few versions

Let me know if you think that another approach should be taken instead.

• Initially raised as discussion Host Header Attack: `url_for()` should not trust unvalidated Host header #1854, and ticket Host Header Attack: url_for() should not trust unvalidated Host header #1855