[1.8.x] Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True.

This is a security fix.
author: Tim Graham <timograham@gmail.com> 2016-10-17 12:14:49 -0400
committer: Tim Graham <timograham@gmail.com> 2016-10-25 15:27:45 -0400
commit: c401ae9a7dfb1a94a8a61927ed541d6f93089587 (patch)
tree: 6f1b7aaeba7302b6789736e32dd2b797028d64db /django/http/request.py
parent: 70f99952965a430daf69eeb9947079aae535d2d0 (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/django/http/request.py b/django/http/request.py
index 398cf20dfb..c680a39eab 100644
--- a/django/http/request.py
+++ b/django/http/request.py
@@ -85,12 +85,13 @@ class HttpRequest(object):
             if server_port != ('443' if self.is_secure() else '80'):
                 host = '%s:%s' % (host, server_port)
 
-        # There is no hostname validation when DEBUG=True
-        if settings.DEBUG:
-            return host
+        # Allow variants of localhost if ALLOWED_HOSTS is empty and DEBUG=True.
+        allowed_hosts = settings.ALLOWED_HOSTS
+        if settings.DEBUG and not allowed_hosts:
+            allowed_hosts = ['localhost', '127.0.0.1', '[::1]']
 
         domain, port = split_domain_port(host)
-        if domain and validate_host(domain, settings.ALLOWED_HOSTS):
+        if domain and validate_host(domain, allowed_hosts):
             return host
         else:
             msg = "Invalid HTTP_HOST header: %r." % host
author	Tim Graham <timograham@gmail.com>	2016-10-17 12:14:49 -0400
committer	Tim Graham <timograham@gmail.com>	2016-10-25 15:27:45 -0400
commit	c401ae9a7dfb1a94a8a61927ed541d6f93089587 (patch)
tree	6f1b7aaeba7302b6789736e32dd2b797028d64db /django/http/request.py
parent	70f99952965a430daf69eeb9947079aae535d2d0 (diff)