From d51fb74360b94f2a856573174f8aae3cd905dd35 Mon Sep 17 00:00:00 2001
From: Carl Meyer <carl@oddbird.net>
Date: Sat, 9 Feb 2013 10:17:01 -0700
Subject: Added a new required ALLOWED_HOSTS setting for HTTP host header
 validation.

This is a security fix; disclosure and advisory coming shortly.
---
 tests/regressiontests/requests/tests.py | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

(limited to 'tests/regressiontests/requests/tests.py')

diff --git a/tests/regressiontests/requests/tests.py b/tests/regressiontests/requests/tests.py
index 84928f39ba..345376d2df 100644
--- a/tests/regressiontests/requests/tests.py
+++ b/tests/regressiontests/requests/tests.py
@@ -84,7 +84,13 @@ class RequestsTests(unittest.TestCase):
         self.assertEqual(request.build_absolute_uri(location="/path/with:colons"),
             'http://www.example.com/path/with:colons')
 
-    @override_settings(USE_X_FORWARDED_HOST=False)
+    @override_settings(
+        USE_X_FORWARDED_HOST=False,
+        ALLOWED_HOSTS=[
+            'forward.com', 'example.com', 'internal.com', '12.34.56.78',
+            '[2001:19f0:feee::dead:beef:cafe]', 'xn--4ca9at.com',
+            '.multitenant.com', 'INSENSITIVE.com',
+            ])
     def test_http_get_host(self):
         # Check if X_FORWARDED_HOST is provided.
         request = HttpRequest()
@@ -131,6 +137,9 @@ class RequestsTests(unittest.TestCase):
             '[2001:19f0:feee::dead:beef:cafe]',
             '[2001:19f0:feee::dead:beef:cafe]:8080',
             'xn--4ca9at.com', # Punnycode for öäü.com
+            'anything.multitenant.com',
+            'multitenant.com',
+            'insensitive.com',
         ]
 
         poisoned_hosts = [
@@ -139,6 +148,7 @@ class RequestsTests(unittest.TestCase):
             'example.com:dr.frankenstein@evil.tld:80',
             'example.com:80/badpath',
             'example.com: recovermypassword.com',
+            'other.com', # not in ALLOWED_HOSTS
         ]
 
         for host in legit_hosts:
@@ -156,7 +166,7 @@ class RequestsTests(unittest.TestCase):
                 }
                 request.get_host()
 
-    @override_settings(USE_X_FORWARDED_HOST=True)
+    @override_settings(USE_X_FORWARDED_HOST=True, ALLOWED_HOSTS=['*'])
     def test_http_get_host_with_x_forwarded_host(self):
         # Check if X_FORWARDED_HOST is provided.
         request = HttpRequest()
@@ -229,6 +239,16 @@ class RequestsTests(unittest.TestCase):
                 request.get_host()
 
 
+    @override_settings(DEBUG=True, ALLOWED_HOSTS=[])
+    def test_host_validation_disabled_in_debug_mode(self):
+        """If ALLOWED_HOSTS is empty and DEBUG is True, all hosts pass."""
+        request = HttpRequest()
+        request.META = {
+            'HTTP_HOST': 'example.com',
+        }
+        self.assertEqual(request.get_host(), 'example.com')
+
+
     def test_near_expiration(self):
         "Cookie will expire when an near expiration time is provided"
         response = HttpResponse()
-- 
cgit v1.3