1
0
mirror of https://github.com/django/django.git synced 2025-10-23 21:59:11 +00:00

Fixed #31010 -- Allowed subdomains of localhost in the Host header by default when DEBUG=True.

This commit is contained in:
Gordon Pendleton
2019-11-23 21:17:31 -05:00
committed by Mariusz Felisiak
parent 3930ec1bf2
commit adb9661789
4 changed files with 10 additions and 4 deletions

View File

@@ -90,7 +90,7 @@ list, the :meth:`django.http.HttpRequest.get_host()` method will raise
:exc:`~django.core.exceptions.SuspiciousOperation`.
When :setting:`DEBUG` is ``True`` and ``ALLOWED_HOSTS`` is empty, the host
is validated against ``['localhost', '127.0.0.1', '[::1]']``.
is validated against ``['.localhost', '127.0.0.1', '[::1]']``.
``ALLOWED_HOSTS`` is also :ref:`checked when running tests
<topics-testing-advanced-multiple-hosts>`.
@@ -99,6 +99,11 @@ This validation only applies via :meth:`~django.http.HttpRequest.get_host()`;
if your code accesses the ``Host`` header directly from ``request.META`` you
are bypassing this security protection.
.. versionchanged:: 3.1
If ``ALLOWED_HOSTS`` is empty and ``DEBUG=True``, subdomains of localhost
were allowed.
.. setting:: APPEND_SLASH
``APPEND_SLASH``