Added a new required ALLOWED_HOSTS setting for HTTP host header validation.

This is a security fix; disclosure and advisory coming shortly.
author: Carl Meyer <carl@oddbird.net> 2013-02-09 10:17:01 -0700
committer: Carl Meyer <carl@oddbird.net> 2013-02-19 11:23:29 -0700
commit: d51fb74360b94f2a856573174f8aae3cd905dd35 (patch)
tree: c2d663edd49bfe6c09f8f492630f5dd344409ad6 /tests/regressiontests/requests
parent: 1add79bc4007fee658f193b65aea2af2347aab6b (diff)
1 files changed, 22 insertions, 2 deletions
diff --git a/tests/regressiontests/requests/tests.py b/tests/regressiontests/requests/tests.py
index 84928f39ba..345376d2df 100644
--- a/tests/regressiontests/requests/tests.py
+++ b/tests/regressiontests/requests/tests.py
@@ -84,7 +84,13 @@ class RequestsTests(unittest.TestCase):
         self.assertEqual(request.build_absolute_uri(location="/path/with:colons"),
             'http://www.example.com/path/with:colons')
 
-    @override_settings(USE_X_FORWARDED_HOST=False)
+    @override_settings(
+        USE_X_FORWARDED_HOST=False,
+        ALLOWED_HOSTS=[
+            'forward.com', 'example.com', 'internal.com', '12.34.56.78',
+            '[2001:19f0:feee::dead:beef:cafe]', 'xn--4ca9at.com',
+            '.multitenant.com', 'INSENSITIVE.com',
+            ])
     def test_http_get_host(self):
         # Check if X_FORWARDED_HOST is provided.
         request = HttpRequest()
@@ -131,6 +137,9 @@ class RequestsTests(unittest.TestCase):
             '[2001:19f0:feee::dead:beef:cafe]',
             '[2001:19f0:feee::dead:beef:cafe]:8080',
             'xn--4ca9at.com', # Punnycode for öäü.com
+            'anything.multitenant.com',
+            'multitenant.com',
+            'insensitive.com',
         ]
 
         poisoned_hosts = [
@@ -139,6 +148,7 @@ class RequestsTests(unittest.TestCase):
             'example.com:dr.frankenstein@evil.tld:80',
             'example.com:80/badpath',
             'example.com: recovermypassword.com',
+            'other.com', # not in ALLOWED_HOSTS
         ]
 
         for host in legit_hosts:
@@ -156,7 +166,7 @@ class RequestsTests(unittest.TestCase):
                 }
                 request.get_host()
 
-    @override_settings(USE_X_FORWARDED_HOST=True)
+    @override_settings(USE_X_FORWARDED_HOST=True, ALLOWED_HOSTS=['*'])
     def test_http_get_host_with_x_forwarded_host(self):
         # Check if X_FORWARDED_HOST is provided.
         request = HttpRequest()
@@ -229,6 +239,16 @@ class RequestsTests(unittest.TestCase):
                 request.get_host()
 
 
+    @override_settings(DEBUG=True, ALLOWED_HOSTS=[])
+    def test_host_validation_disabled_in_debug_mode(self):
+        """If ALLOWED_HOSTS is empty and DEBUG is True, all hosts pass."""
+        request = HttpRequest()
+        request.META = {
+            'HTTP_HOST': 'example.com',
+        }
+        self.assertEqual(request.get_host(), 'example.com')
+
+
     def test_near_expiration(self):
         "Cookie will expire when an near expiration time is provided"
         response = HttpResponse()
author	Carl Meyer <carl@oddbird.net>	2013-02-09 10:17:01 -0700
committer	Carl Meyer <carl@oddbird.net>	2013-02-19 11:23:29 -0700
commit	d51fb74360b94f2a856573174f8aae3cd905dd35 (patch)
tree	c2d663edd49bfe6c09f8f492630f5dd344409ad6 /tests/regressiontests/requests
parent	1add79bc4007fee658f193b65aea2af2347aab6b (diff)