Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add setting to fix runserver_plus debugger on custom host names #1878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add setting to fix runserver_plus debugger on custom host names #1878

wants to merge 2 commits into from

Conversation

browniebroke
Copy link
Contributor

Add RUNSERVERPLUS_TRUSTED_HOSTS setting to work with Werkzeug 3.0.3+ debugger.

Werkzeug version 3.0.3 introduced a fix for a security vulnerability:

Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. GHSA-2g68-c3qc-8985

I'm running runserver_plus with Werkzeug 3.0.3 on a machine with a custom dev host (e.g. dev.mydomain.com) which means that the Werkzeug debugger no longer works.

As far as I could tell, there was no way to tell Werkzeug to trust my dev host, so adding this option to do so.

Questions

  1. Should this default to settings.ALLOWED_HOSTS? It might be a good enough default on a Django project...
  2. Updated the docs, let me know if I missed anything?

@browniebroke
Copy link
Contributor Author

Looks like the test failures are unrelated to my change, or am I missing something?

Is there any interest for this change?

@jribbens
Copy link

jribbens commented Jul 8, 2024

Is there any interest for this change?

Yes, this change, or something like it, is vital for runserver_plus to continue being useful.
(Pretty disgraceful of Werkzeug to make such a change in a patch release frankly.)

@jribbens
Copy link

Given this project appears to be moribund, the following work-around can be used to avoid having to pin Werkzeug to <3.0.3.

Put the following in your settings/dev.py file or whatever you have that's similar:

import werkzeug.debug

werkzeug.debug.DebuggedApplication.check_host_trust = (
    lambda *args, **kwargs: True  # noqa: ARG005
)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@browniebroke @jribbens