From c052699be3637c22e3a26383a4bdabc8c3cc0feb Mon Sep 17 00:00:00 2001
From: Claude Paroz <claude@2xlibre.net>
Date: Thu, 24 Oct 2013 19:34:40 +0200
Subject: [PATCH] Fixed #20338 -- Stripped ending dot during host validation

Thanks manfre for the report and Timo Graham for the review.
---
 django/http/request.py  |  2 ++
 docs/ref/settings.txt   | 14 +++++++++-----
 tests/requests/tests.py |  4 +++-
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/django/http/request.py b/django/http/request.py
index 3f480592af..07ab6cb27d 100644
--- a/django/http/request.py
+++ b/django/http/request.py
@@ -520,6 +520,8 @@ def validate_host(host, allowed_hosts):
     Return ``True`` for a valid host, ``False`` otherwise.
 
     """
+    host = host[:-1] if host.endswith('.') else host
+
     for pattern in allowed_hosts:
         pattern = pattern.lower()
         match = (
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 76e771bf34..32a8237d3f 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -79,18 +79,22 @@ responsible to provide your own validation of the ``Host`` header (perhaps in a
 middleware; if so this middleware must be listed first in
 :setting:`MIDDLEWARE_CLASSES`).
 
-.. note::
+.. versionchanged:: 1.7
 
-    If you want to also allow the `fully qualified domain name (FQDN)`_, which
-    some browsers can send in the Host header, you must explicitly add another
-    ALLOWED_HOSTS entry that includes a trailing period. This entry can also be
-    a subdomain wildcard::
+    In previous versions of Django, if you wanted to also allow the
+    `fully qualified domain name (FQDN)`_, which some browsers can send in the
+    ``Host`` header, you had to explicitly add another ``ALLOWED_HOSTS`` entry
+    that included a trailing period. This entry could also be a subdomain
+    wildcard::
 
         ALLOWED_HOSTS = [
             '.example.com', # Allow domain and subdomains
             '.example.com.', # Also allow FQDN and subdomains
         ]
 
+    In Django 1.7, the trailing dot is stripped when performing host validation,
+    thus an entry with a trailing dot isn't required.
+
 .. _`fully qualified domain name (FQDN)`: http://en.wikipedia.org/wiki/Fully_qualified_domain_name
 
 If the ``Host`` header (or ``X-Forwarded-Host`` if
diff --git a/tests/requests/tests.py b/tests/requests/tests.py
index b26d9e9e6e..067d71b3d7 100644
--- a/tests/requests/tests.py
+++ b/tests/requests/tests.py
@@ -529,6 +529,8 @@ class HostValidationTests(SimpleTestCase):
             'anything.multitenant.com',
             'multitenant.com',
             'insensitive.com',
+            'example.com.',
+            'example.com.:80',
         ]
 
         for host in legit_hosts:
@@ -539,7 +541,7 @@ class HostValidationTests(SimpleTestCase):
             request.get_host()
 
         # Poisoned host headers are rejected as suspicious
-        for host in chain(self.poisoned_hosts, ['other.com']):
+        for host in chain(self.poisoned_hosts, ['other.com', 'example.com..']):
             with self.assertRaises(SuspiciousOperation):
                 request = HttpRequest()
                 request.META = {