From adb96617897690b3a01e39e8297ae7d67825d2bc Mon Sep 17 00:00:00 2001 From: Gordon Pendleton Date: Sat, 23 Nov 2019 21:17:31 -0500 Subject: [PATCH] Fixed #31010 -- Allowed subdomains of localhost in the Host header by default when DEBUG=True. --- django/http/request.py | 2 +- docs/ref/settings.txt | 7 ++++++- docs/releases/3.1.txt | 3 ++- tests/requests/tests.py | 2 +- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/django/http/request.py b/django/http/request.py index 933af0f13e..5c567b9c46 100644 --- a/django/http/request.py +++ b/django/http/request.py @@ -108,7 +108,7 @@ class HttpRequest: # Allow variants of localhost if ALLOWED_HOSTS is empty and DEBUG=True. allowed_hosts = settings.ALLOWED_HOSTS if settings.DEBUG and not allowed_hosts: - allowed_hosts = ['localhost', '127.0.0.1', '[::1]'] + allowed_hosts = ['.localhost', '127.0.0.1', '[::1]'] domain, port = split_domain_port(host) if domain and validate_host(domain, allowed_hosts): diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 6c8ea9b762..3c360cf284 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -90,7 +90,7 @@ list, the :meth:`django.http.HttpRequest.get_host()` method will raise :exc:`~django.core.exceptions.SuspiciousOperation`. When :setting:`DEBUG` is ``True`` and ``ALLOWED_HOSTS`` is empty, the host -is validated against ``['localhost', '127.0.0.1', '[::1]']``. +is validated against ``['.localhost', '127.0.0.1', '[::1]']``. ``ALLOWED_HOSTS`` is also :ref:`checked when running tests `. @@ -99,6 +99,11 @@ This validation only applies via :meth:`~django.http.HttpRequest.get_host()`; if your code accesses the ``Host`` header directly from ``request.META`` you are bypassing this security protection. +.. versionchanged:: 3.1 + + If ``ALLOWED_HOSTS`` is empty and ``DEBUG=True``, subdomains of localhost + were allowed. + .. setting:: APPEND_SLASH ``APPEND_SLASH`` diff --git a/docs/releases/3.1.txt b/docs/releases/3.1.txt index 4c8cc56797..631978d0ac 100644 --- a/docs/releases/3.1.txt +++ b/docs/releases/3.1.txt @@ -222,7 +222,8 @@ Pagination Requests and Responses ~~~~~~~~~~~~~~~~~~~~~~ -* ... +* If :setting:`ALLOWED_HOSTS` is empty and ``DEBUG=True``, subdomains of + localhost are now allowed in the ``Host`` header, e.g. ``static.localhost``. Serialization ~~~~~~~~~~~~~ diff --git a/tests/requests/tests.py b/tests/requests/tests.py index 3320c59ba3..c57d5caae2 100644 --- a/tests/requests/tests.py +++ b/tests/requests/tests.py @@ -758,7 +758,7 @@ class HostValidationTests(SimpleTestCase): If ALLOWED_HOSTS is empty and DEBUG is True, variants of localhost are allowed. """ - valid_hosts = ['localhost', '127.0.0.1', '[::1]'] + valid_hosts = ['localhost', 'subdomain.localhost', '127.0.0.1', '[::1]'] for host in valid_hosts: request = HttpRequest() request.META = {'HTTP_HOST': host}