Fixed #19987 -- Disabled host validation when DEBUG=True.

The documentation promises that host validation is disabled when DEBUG=True, that all hostnames are accepted. Domains not compliant with RFC 1034/1035 were however being validated, this validation has now been removed when DEBUG=True. Additionally, when DEBUG=False a more detailed SuspiciousOperation exception message is provided when host validation fails because the hostname is not RFC 1034/1035 compliant.
2025-10-31 09:41:08 +00:00 · 2013-03-27 17:37:08 +01:00
parent acd1d439fd
commit 1c3c21b38d
2 changed files with 23 additions and 2 deletions
--- a/django/http/request.py
+++ b/django/http/request.py
@@ -68,14 +68,19 @@ class HttpRequest(object):
            if server_port != ('443' if self.is_secure() else '80'):
                host = '%s:%s' % (host, server_port)

-        allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS
+        # There is no hostname validation when DEBUG=True
+        if settings.DEBUG:
+            return host
+
        domain, port = split_domain_port(host)
-        if domain and validate_host(domain, allowed_hosts):
+        if domain and validate_host(domain, settings.ALLOWED_HOSTS):
            return host
        else:
            msg = "Invalid HTTP_HOST header: %r." % host
            if domain:
                msg += "You may need to add %r to ALLOWED_HOSTS." % domain
+            else:
+                msg += "The domain name provided is not valid according to RFC 1034/1035"
            raise DisallowedHost(msg)

    def get_full_path(self):
--- a/tests/requests/tests.py
+++ b/tests/requests/tests.py
@@ -620,12 +620,20 @@ class HostValidationTests(SimpleTestCase):
        }
        self.assertEqual(request.get_host(), 'example.com')

+        # Invalid hostnames would normally raise a SuspiciousOperation,
+        # but we have DEBUG=True, so this check is disabled.
+        request = HttpRequest()
+        request.META = {
+            'HTTP_HOST': "invalid_hostname.com",
+        }
+        self.assertEqual(request.get_host(), "invalid_hostname.com")

    @override_settings(ALLOWED_HOSTS=[])
    def test_get_host_suggestion_of_allowed_host(self):
        """get_host() makes helpful suggestions if a valid-looking host is not in ALLOWED_HOSTS."""
        msg_invalid_host = "Invalid HTTP_HOST header: %r."
        msg_suggestion = msg_invalid_host + "You may need to add %r to ALLOWED_HOSTS."
+        msg_suggestion2 = msg_invalid_host + "The domain name provided is not valid according to RFC 1034/1035"

        for host in [ # Valid-looking hosts
            'example.com',
@@ -664,6 +672,14 @@ class HostValidationTests(SimpleTestCase):
                request.get_host
            )

+        request = HttpRequest()
+        request.META = {'HTTP_HOST': "invalid_hostname.com"}
+        self.assertRaisesMessage(
+            SuspiciousOperation,
+            msg_suggestion2 % "invalid_hostname.com",
+            request.get_host
+        )
+

@skipIf(connection.vendor == 'sqlite'
        and connection.settings_dict['TEST_NAME'] in (None, '', ':memory:'),