Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

configure and check request.trusted_hosts #5636

Closed
davidism opened this issue Nov 13, 2024 · 2 comments · Fixed by #5637
Closed

configure and check request.trusted_hosts #5636

davidism opened this issue Nov 13, 2024 · 2 comments · Fixed by #5637
Milestone
3.1.0

Comments

@davidism
Copy link
Member

If request.trusted_hosts is set, it will be checked when accessing request.host/url/etc. Add TRUSTED_HOSTS config, and check it during routing.
@davidism davidism added this to the 3.1.0 milestone Nov 13, 2024
@davidism
Copy link
Member Author

Map.bind_to_environ is called when creating the request context, and MapAdapter.match is called when the context is pushed. Both of these places catch routing exceptions, which are then raised during dispatch after before_request and before the view. I think it makes sense to check this in Flask.create_url_adapter, as then no matching be attempted if the host is invalid.

@davidism davidism mentioned this issue Nov 13, 2024
Open
@davidism
Copy link
Member Author

This should be moved up into Map.bind_to_environ, but can be implemented in Flask until Werkzeug 3.2. See pallets/werkzeug#3007

@davidism davidism mentioned this issue Nov 13, 2024
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.1.0
Development

Successfully merging a pull request may close this issue.

configure and check request.trusted_hosts pallets/flask
1 participant
@davidism