mirror of
https://github.com/django/django.git
synced 2025-10-24 14:16:09 +00:00
Fixed #24966 -- Added deployment system check for empty ALLOWED_HOSTS.
This commit is contained in:
@@ -95,6 +95,11 @@ W019 = Warning(
|
|||||||
id='security.W019',
|
id='security.W019',
|
||||||
)
|
)
|
||||||
|
|
||||||
|
W020 = Warning(
|
||||||
|
"ALLOWED_HOSTS must not be empty in deployment.",
|
||||||
|
id='security.W020',
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
def _security_middleware():
|
def _security_middleware():
|
||||||
return "django.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE_CLASSES
|
return "django.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE_CLASSES
|
||||||
@@ -182,3 +187,8 @@ def check_xframe_deny(app_configs, **kwargs):
|
|||||||
settings.X_FRAME_OPTIONS == 'DENY'
|
settings.X_FRAME_OPTIONS == 'DENY'
|
||||||
)
|
)
|
||||||
return [] if passed_check else [W019]
|
return [] if passed_check else [W019]
|
||||||
|
|
||||||
|
|
||||||
|
@register(Tags.security, deploy=True)
|
||||||
|
def check_allowed_hosts(app_configs, **kwargs):
|
||||||
|
return [] if settings.ALLOWED_HOSTS else [W020]
|
||||||
|
@@ -476,6 +476,7 @@ of the :djadmin:`check` command:
|
|||||||
``'DENY'``. The default is ``'SAMEORIGIN'``, but unless there is a good reason
|
``'DENY'``. The default is ``'SAMEORIGIN'``, but unless there is a good reason
|
||||||
for your site to serve other parts of itself in a frame, you should change
|
for your site to serve other parts of itself in a frame, you should change
|
||||||
it to ``'DENY'``.
|
it to ``'DENY'``.
|
||||||
|
* **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment.
|
||||||
|
|
||||||
Sites
|
Sites
|
||||||
-----
|
-----
|
||||||
|
@@ -482,3 +482,18 @@ class CheckDebugTest(SimpleTestCase):
|
|||||||
@override_settings(DEBUG=False)
|
@override_settings(DEBUG=False)
|
||||||
def test_debug_false(self):
|
def test_debug_false(self):
|
||||||
self.assertEqual(self.func(None), [])
|
self.assertEqual(self.func(None), [])
|
||||||
|
|
||||||
|
|
||||||
|
class CheckAllowedHostsTest(SimpleTestCase):
|
||||||
|
@property
|
||||||
|
def func(self):
|
||||||
|
from django.core.checks.security.base import check_allowed_hosts
|
||||||
|
return check_allowed_hosts
|
||||||
|
|
||||||
|
@override_settings(ALLOWED_HOSTS=[])
|
||||||
|
def test_allowed_hosts_empty(self):
|
||||||
|
self.assertEqual(self.func(None), [base.W020])
|
||||||
|
|
||||||
|
@override_settings(ALLOWED_HOSTS=['.example.com', ])
|
||||||
|
def test_allowed_hosts_set(self):
|
||||||
|
self.assertEqual(self.func(None), [])
|
||||||
|
Reference in New Issue
Block a user