diff options
| author | Tim Graham <timograham@gmail.com> | 2016-10-17 12:14:49 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-10-25 15:27:45 -0400 |
| commit | c401ae9a7dfb1a94a8a61927ed541d6f93089587 (patch) | |
| tree | 6f1b7aaeba7302b6789736e32dd2b797028d64db /tests/requests/tests.py | |
| parent | 70f99952965a430daf69eeb9947079aae535d2d0 (diff) | |
[1.8.x] Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True.
This is a security fix.
Diffstat (limited to 'tests/requests/tests.py')
| -rw-r--r-- | tests/requests/tests.py | 29 |
1 files changed, 15 insertions, 14 deletions
diff --git a/tests/requests/tests.py b/tests/requests/tests.py index f4a8aead92..87fb0c91fe 100644 --- a/tests/requests/tests.py +++ b/tests/requests/tests.py @@ -673,21 +673,22 @@ class HostValidationTests(SimpleTestCase): request.get_host() @override_settings(DEBUG=True, ALLOWED_HOSTS=[]) - def test_host_validation_disabled_in_debug_mode(self): - """If ALLOWED_HOSTS is empty and DEBUG is True, all hosts pass.""" - request = HttpRequest() - request.META = { - 'HTTP_HOST': 'example.com', - } - self.assertEqual(request.get_host(), 'example.com') + def test_host_validation_in_debug_mode(self): + """ + If ALLOWED_HOSTS is empty and DEBUG is True, variants of localhost are + allowed. + """ + valid_hosts = ['localhost', '127.0.0.1', '[::1]'] + for host in valid_hosts: + request = HttpRequest() + request.META = {'HTTP_HOST': host} + self.assertEqual(request.get_host(), host) - # Invalid hostnames would normally raise a SuspiciousOperation, - # but we have DEBUG=True, so this check is disabled. - request = HttpRequest() - request.META = { - 'HTTP_HOST': "invalid_hostname.com", - } - self.assertEqual(request.get_host(), "invalid_hostname.com") + # Other hostnames raise a SuspiciousOperation. + with self.assertRaises(SuspiciousOperation): + request = HttpRequest() + request.META = {'HTTP_HOST': 'example.com'} + request.get_host() @override_settings(ALLOWED_HOSTS=[]) def test_get_host_suggestion_of_allowed_host(self): |