configure and check `request.trusted_hosts`

pallets / flask

The Python micro framework for building web applications.

https://flask.palletsprojects.com

BSD 3-Clause "New" or "Revised" License

68.2k stars 16.25k forks source link

configure and check `request.trusted_hosts` #5636

Closed davidism closed 2 weeks ago

davidism commented 2 weeks ago

If request.trusted_hosts is set, it will be checked when accessing request.host/url/etc. Add TRUSTED_HOSTS config, and check it during routing.

davidism commented 2 weeks ago

Map.bind_to_environ is called when creating the request context, and MapAdapter.match is called when the context is pushed. Both of these places catch routing exceptions, which are then raised during dispatch after before_request and before the view. I think it makes sense to check this in Flask.create_url_adapter, as then no matching be attempted if the host is invalid.

davidism commented 2 weeks ago

This should be moved up into Map.bind_to_environ, but can be implemented in Flask until Werkzeug 3.2. See pallets/werkzeug#3007