Commit 1c3c21b3 authored by Will Hardy's avatar Will Hardy Committed by Tim Graham
Browse files

Fixed #19987 -- Disabled host validation when DEBUG=True. 

The documentation promises that host validation is disabled when
DEBUG=True, that all hostnames are accepted. Domains not compliant with
RFC 1034/1035 were however being validated, this validation has now been
removed when DEBUG=True.

Additionally, when DEBUG=False a more detailed SuspiciousOperation
exception message is provided when host validation fails because the
hostname is not RFC 1034/1035 compliant.
parent acd1d439

django/http/request.py

+7 −2
Original line number Diff line number Diff line
@@ -68,14 +68,19 @@ class HttpRequest(object): 
            if server_port != ('443' if self.is_secure() else '80'):

                host = '%s:%s' % (host, server_port)



        allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS

        # There is no hostname validation when DEBUG=True

        if settings.DEBUG:

            return host



        domain, port = split_domain_port(host)

        if domain and validate_host(domain, allowed_hosts):

        if domain and validate_host(domain, settings.ALLOWED_HOSTS):

            return host

        else:

            msg = "Invalid HTTP_HOST header: %r." % host

            if domain:

                msg += "You may need to add %r to ALLOWED_HOSTS." % domain

            else:

                msg += "The domain name provided is not valid according to RFC 1034/1035"

            raise DisallowedHost(msg)



    def get_full_path(self):

tests/requests/tests.py

+16 −0
Original line number Diff line number Diff line
@@ -620,12 +620,20 @@ class HostValidationTests(SimpleTestCase): 
        }

        self.assertEqual(request.get_host(), 'example.com')



        # Invalid hostnames would normally raise a SuspiciousOperation,

        # but we have DEBUG=True, so this check is disabled.

        request = HttpRequest()

        request.META = {

            'HTTP_HOST': "invalid_hostname.com",

        }

        self.assertEqual(request.get_host(), "invalid_hostname.com")



    @override_settings(ALLOWED_HOSTS=[])

    def test_get_host_suggestion_of_allowed_host(self):

        """get_host() makes helpful suggestions if a valid-looking host is not in ALLOWED_HOSTS."""

        msg_invalid_host = "Invalid HTTP_HOST header: %r."

        msg_suggestion = msg_invalid_host + "You may need to add %r to ALLOWED_HOSTS."

        msg_suggestion2 = msg_invalid_host + "The domain name provided is not valid according to RFC 1034/1035"



        for host in [ # Valid-looking hosts

            'example.com',
@@ -664,6 +672,14 @@ class HostValidationTests(SimpleTestCase): 
                request.get_host

            )



        request = HttpRequest()

        request.META = {'HTTP_HOST': "invalid_hostname.com"}

        self.assertRaisesMessage(

            SuspiciousOperation,

            msg_suggestion2 % "invalid_hostname.com",

            request.get_host

        )





@skipIf(connection.vendor == 'sqlite'

        and connection.settings_dict['TEST_NAME'] in (None, '', ':memory:'),