[Django] #29606: Validate the type of ALLOWED_HOSTS to prevent possible issues and wasted time

[Django]

#29606: Validate the type of ALLOWED_HOSTS to prevent possible issues and wasted
time
-------------------------------------+-------------------------------------
               Reporter:  rafis      |          Owner:  nobody
                   Type:  New        |         Status:  new
  feature                            |
              Component:  Core       |        Version:  2.0
  (System checks)                    |
               Severity:  Normal     |       Keywords:  allowed_hosts
           Triage Stage:             |      Has patch:  0
  Unreviewed                         |
    Needs documentation:  0          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  1
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
 Python has soft behavior for conducting iteration process over lists and
 over strings making them look the same:
 {{{#!python
     for char_or_item in str_or_list:
         -- `char_or_item` can be character or list item
 }}}
 It would be better if it would have more strict behavior, for example,
 {{{#!python
     for char in some_str.chars():
         -- now `char` can be only of string type and `list` class would
 not have `chars` method
 }}}
 and for list
 {{{#!python
     for item in some_list.list_items():
         -- `string` class would not have `list_items` method
 }}}
 This soft behavior usually leads to many nasty bugs to appear. Our two
 software engineers from our team wasted about 1 hour debugging the issue
 with ALLOWED_HOSTS being initialized with string in `local_settings.py`
 which is included at the end of `settings.py`. Django was matching each
 separate character of ALLOWED_HOSTS string against the "Host:" header from
 an incoming HTTP request.

 An obvious self-suggesting solution is to add a new system check that will
 check the type of ALLOWED_HOSTS if it is string or not and notify the
 developer about possible improper configuration. I think blacklist
 checking (string or not) is more appropiate here, but I can be wrong.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/29606>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/048.7e8766aaf89f22f32f5fb264f8e7d7a9%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.