Fixed #31010 -- Allowed subdomains of localhost in the Host header by default when DEBUG=True.

2025-07-24 05:36:15 +00:00 · 2019-11-23 21:17:31 -05:00 · 2019-11-23 21:17:31 -05:00 · adb9661789
commit adb9661789
parent 3930ec1bf2
4 changed files with 10 additions and 4 deletions
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@ -90,7 +90,7 @@ list, the :meth:`django.http.HttpRequest.get_host()` method will raise
 :exc:`~django.core.exceptions.SuspiciousOperation`.

 When :setting:`DEBUG` is ``True`` and ``ALLOWED_HOSTS`` is empty, the host
-is validated against ``['localhost', '127.0.0.1', '[::1]']``.
+is validated against ``['.localhost', '127.0.0.1', '[::1]']``.

 ``ALLOWED_HOSTS`` is also :ref:`checked when running tests
 <topics-testing-advanced-multiple-hosts>`.
@ -99,6 +99,11 @@ This validation only applies via :meth:`~django.http.HttpRequest.get_host()`;
 if your code accesses the ``Host`` header directly from ``request.META`` you
 are bypassing this security protection.

+.. versionchanged:: 3.1
+
+    If ``ALLOWED_HOSTS`` is empty and ``DEBUG=True``, subdomains of localhost
+    were allowed.
+
 .. setting:: APPEND_SLASH

 ``APPEND_SLASH``
--- a/docs/releases/3.1.txt
+++ b/docs/releases/3.1.txt
@ -222,7 +222,8 @@ Pagination
 Requests and Responses
 ~~~~~~~~~~~~~~~~~~~~~~

-* ...
+* If :setting:`ALLOWED_HOSTS` is empty and ``DEBUG=True``, subdomains of
+  localhost are now allowed in the ``Host`` header, e.g. ``static.localhost``.

 Serialization
 ~~~~~~~~~~~~~