summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWill Hardy <django@willhardy.com.au>2013-03-27 17:37:08 +0100
committerTim Graham <timograham@gmail.com>2013-07-31 10:38:59 -0400
commit1c3c21b38d154eff0286c194711dced2ac39dd3d (patch)
treeb86b70a74d04122e1f8a8ef9e2664ac68249e5a8
parentacd1d439fd9b3e77bc0291dcd62c09f345d8622c (diff)
Fixed #19987 -- Disabled host validation when DEBUG=True.
The documentation promises that host validation is disabled when DEBUG=True, that all hostnames are accepted. Domains not compliant with RFC 1034/1035 were however being validated, this validation has now been removed when DEBUG=True. Additionally, when DEBUG=False a more detailed SuspiciousOperation exception message is provided when host validation fails because the hostname is not RFC 1034/1035 compliant.
-rw-r--r--django/http/request.py9
-rw-r--r--tests/requests/tests.py16
2 files changed, 23 insertions, 2 deletions
diff --git a/django/http/request.py b/django/http/request.py
index e222081450..9f9f32b1b4 100644
--- a/django/http/request.py
+++ b/django/http/request.py
@@ -68,14 +68,19 @@ class HttpRequest(object):
if server_port != ('443' if self.is_secure() else '80'):
host = '%s:%s' % (host, server_port)
- allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS
+ # There is no hostname validation when DEBUG=True
+ if settings.DEBUG:
+ return host
+
domain, port = split_domain_port(host)
- if domain and validate_host(domain, allowed_hosts):
+ if domain and validate_host(domain, settings.ALLOWED_HOSTS):
return host
else:
msg = "Invalid HTTP_HOST header: %r." % host
if domain:
msg += "You may need to add %r to ALLOWED_HOSTS." % domain
+ else:
+ msg += "The domain name provided is not valid according to RFC 1034/1035"
raise DisallowedHost(msg)
def get_full_path(self):
diff --git a/tests/requests/tests.py b/tests/requests/tests.py
index 8c56e48f58..5bd3e5141f 100644
--- a/tests/requests/tests.py
+++ b/tests/requests/tests.py
@@ -620,12 +620,20 @@ class HostValidationTests(SimpleTestCase):
}
self.assertEqual(request.get_host(), 'example.com')
+ # Invalid hostnames would normally raise a SuspiciousOperation,
+ # but we have DEBUG=True, so this check is disabled.
+ request = HttpRequest()
+ request.META = {
+ 'HTTP_HOST': "invalid_hostname.com",
+ }
+ self.assertEqual(request.get_host(), "invalid_hostname.com")
@override_settings(ALLOWED_HOSTS=[])
def test_get_host_suggestion_of_allowed_host(self):
"""get_host() makes helpful suggestions if a valid-looking host is not in ALLOWED_HOSTS."""
msg_invalid_host = "Invalid HTTP_HOST header: %r."
msg_suggestion = msg_invalid_host + "You may need to add %r to ALLOWED_HOSTS."
+ msg_suggestion2 = msg_invalid_host + "The domain name provided is not valid according to RFC 1034/1035"
for host in [ # Valid-looking hosts
'example.com',
@@ -664,6 +672,14 @@ class HostValidationTests(SimpleTestCase):
request.get_host
)
+ request = HttpRequest()
+ request.META = {'HTTP_HOST': "invalid_hostname.com"}
+ self.assertRaisesMessage(
+ SuspiciousOperation,
+ msg_suggestion2 % "invalid_hostname.com",
+ request.get_host
+ )
+
@skipIf(connection.vendor == 'sqlite'
and connection.settings_dict['TEST_NAME'] in (None, '', ':memory:'),