check `request.trusted_hosts` in `Map.bind_to_environ`

pallets / werkzeug

The comprehensive WSGI web application library.

https://werkzeug.palletsprojects.com

BSD 3-Clause "New" or "Revised" License

6.66k stars 1.74k forks source link

check `request.trusted_hosts` in `Map.bind_to_environ` #3007

Open davidism opened 1 week ago

davidism commented 1 week ago

Map.bind_to_environ can be passed an environ or a request object. But it always calls get_host(environ). If it used request.host if a request was passed, this would check request.trusted_hosts during routing. See pallets/flask#5636

davidism commented 1 week ago

Consider making request.trusted_hosts a property, so setting it would automatically trigger validation. I'm not sure if this is a good idea or not. It's not particularly useful in Werkzeug, where the request is available to be configured before routing. It's only really convenient in Flask where a view (after routing) may want to set specific trusted hosts.