plain 0.64.0__py3-none-any.whl → 0.65.0__py3-none-any.whl

plain/CHANGELOG.md

@@ -1,5 +1,15 @@
 # plain changelog
 
+## [0.65.0](https://github.com/dropseed/plain/releases/plain@0.65.0) (2025-09-22)
+
+### What's changed
+
+- Added CIDR notation support to `ALLOWED_HOSTS` for IP address range validation ([c485d21](https://github.com/dropseed/plain/commit/c485d21a8b))
+
+### Upgrade instructions
+
+- No changes required
+
 ## [0.64.0](https://github.com/dropseed/plain/releases/plain@0.64.0) (2025-09-19)
 
 ### What's changed

plain/http/hosts.py

@@ -0,0 +1,147 @@
+"""
+Host validation utilities for ALLOWED_HOSTS functionality.
+
+This module provides functions for validating hosts against allowed patterns,
+including domain patterns, wildcards, and CIDR notation for IP ranges.
+"""
+
+import ipaddress
+
+from plain.utils.regex_helper import _lazy_re_compile
+
+host_validation_re = _lazy_re_compile(
+    r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])(:[0-9]+)?$"
+)
+
+
+def split_domain_port(host: str) -> tuple[str, str]:
+    """
+    Return a (domain, port) tuple from a given host.
+
+    Returned domain is lowercased. If the host is invalid, the domain will be
+    empty.
+    """
+    host = host.lower()
+
+    if not host_validation_re.match(host):
+        return "", ""
+
+    if host[-1] == "]":
+        # It's an IPv6 address without a port.
+        return host, ""
+    bits = host.rsplit(":", 1)
+    domain, port = bits if len(bits) == 2 else (bits[0], "")
+    # Remove a trailing dot (if present) from the domain.
+    domain = domain.removesuffix(".")
+    return domain, port
+
+
+def _is_same_domain(host: str, pattern: str) -> bool:
+    """
+    Return ``True`` if the host is either an exact match or a match
+    to the wildcard pattern.
+
+    Any pattern beginning with a period matches a domain and all of its
+    subdomains. (e.g. ``.example.com`` matches ``example.com`` and
+    ``foo.example.com``). Anything else is an exact string match.
+    """
+    if not pattern:
+        return False
+
+    pattern = pattern.lower()
+    return (
+        pattern[0] == "."
+        and (host.endswith(pattern) or host == pattern[1:])
+        or pattern == host
+    )
+
+
+def _parse_ip_address(
+    host: str,
+) -> ipaddress.IPv4Address | ipaddress.IPv6Address | None:
+    """
+    Parse a host string as an IP address (IPv4 or IPv6).
+
+    Returns the ipaddress.ip_address object if valid, None otherwise.
+    Handles both bracketed and non-bracketed IPv6 addresses.
+    """
+    # Remove brackets from IPv6 addresses
+    if host.startswith("[") and host.endswith("]"):
+        host = host[1:-1]
+
+    try:
+        return ipaddress.ip_address(host)
+    except ValueError:
+        return None
+
+
+def _parse_cidr_pattern(
+    pattern: str,
+) -> ipaddress.IPv4Network | ipaddress.IPv6Network | None:
+    """
+    Parse a CIDR pattern and return the network object if valid.
+
+    Returns the ipaddress.ip_network object if valid CIDR notation, None otherwise.
+    """
+    # Check if it contains a slash (required for CIDR)
+    if "/" not in pattern:
+        return None
+
+    # Remove brackets from IPv6 CIDR patterns
+    test_pattern = pattern
+    if pattern.startswith("[") and "]/" in pattern:
+        # Handle format like [2001:db8::]/32
+        bracket_end = pattern.find("]/")
+        if bracket_end != -1:
+            ip_part = pattern[1:bracket_end]
+            cidr_part = pattern[bracket_end + 2 :]
+            test_pattern = f"{ip_part}/{cidr_part}"
+    elif pattern.startswith("[") and pattern.endswith("]") and "/" in pattern:
+        # Handle format like [2001:db8::/32] (slash inside brackets)
+        test_pattern = pattern[1:-1]
+
+    try:
+        return ipaddress.ip_network(test_pattern, strict=False)
+    except ValueError:
+        return None
+
+
+def validate_host(host: str, allowed_hosts: list[str]) -> bool:
+    """
+    Validate the given host for this site.
+
+    Check that the host looks valid and matches a host or host pattern in the
+    given list of ``allowed_hosts``. Supported patterns:
+
+    - ``*`` matches anything
+    - ``.example.com`` matches a domain and all its subdomains
+      (e.g. ``example.com`` and ``sub.example.com``)
+    - ``example.com`` matches exactly that domain
+    - ``192.168.1.0/24`` matches IP addresses in that CIDR range
+    - ``[2001:db8::]/32`` matches IPv6 addresses in that CIDR range
+    - ``192.168.1.1`` matches that exact IP address
+
+    Note: This function assumes that the given host is lowercased and has
+    already had the port, if any, stripped off.
+
+    Return ``True`` for a valid host, ``False`` otherwise.
+    """
+    # Parse the host as an IP address if possible
+    host_ip = _parse_ip_address(host)
+
+    for pattern in allowed_hosts:
+        # Wildcard matches everything
+        if pattern == "*":
+            return True
+
+        # Check CIDR notation patterns using walrus operator
+        if network := _parse_cidr_pattern(pattern):
+            if host_ip and host_ip in network:
+                return True
+            continue
+
+        # For non-CIDR patterns, use existing domain matching logic
+        if _is_same_domain(host, pattern):
+            return True
+
+    return False

plain/http/request.py

@@ -27,12 +27,9 @@ from plain.utils.datastructures import (
     MultiValueDict,
 )
 from plain.utils.encoding import iri_to_uri
-from plain.utils.http import is_same_domain, parse_header_parameters
-from plain.utils.regex_helper import _lazy_re_compile
+from plain.utils.http import parse_header_parameters
 
-host_validation_re = _lazy_re_compile(
-    r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])(:[0-9]+)?$"
-)
+from .hosts import split_domain_port, validate_host
 
 
 class UnreadablePostError(OSError):
@@ -702,47 +699,5 @@ def bytes_to_text(s, encoding):
         return s
 
 
-def split_domain_port(host):
-    """
-    Return a (domain, port) tuple from a given host.
-
-    Returned domain is lowercased. If the host is invalid, the domain will be
-    empty.
-    """
-    host = host.lower()
-
-    if not host_validation_re.match(host):
-        return "", ""
-
-    if host[-1] == "]":
-        # It's an IPv6 address without a port.
-        return host, ""
-    bits = host.rsplit(":", 1)
-    domain, port = bits if len(bits) == 2 else (bits[0], "")
-    # Remove a trailing dot (if present) from the domain.
-    domain = domain.removesuffix(".")
-    return domain, port
-
-
-def validate_host(host, allowed_hosts):
-    """
-    Validate the given host for this site.
-
-    Check that the host looks valid and matches a host or host pattern in the
-    given list of ``allowed_hosts``. Any pattern beginning with a period
-    matches a domain and all its subdomains (e.g. ``.example.com`` matches
-    ``example.com`` and any subdomain), ``*`` matches anything, and anything
-    else must match exactly.
-
-    Note: This function assumes that the given host is lowercased and has
-    already had the port, if any, stripped off.
-
-    Return ``True`` for a valid host, ``False`` otherwise.
-    """
-    return any(
-        pattern == "*" or is_same_domain(host, pattern) for pattern in allowed_hosts
-    )
-
-
 def parse_accept_header(header):
     return [MediaType(token) for token in header.split(",") if token.strip()]

plain/runtime/global_settings.py

@@ -24,6 +24,7 @@ URLS_ROUTER: str
 
 # Hosts/domain names that are valid for this site.
 # "*" matches anything, ".example.com" matches example.com and all subdomains
+# "192.168.1.0/24" matches IP addresses in that CIDR range
 ALLOWED_HOSTS: list[str] = []
 
 # Default headers for all responses.

plain/utils/http.py

@@ -92,26 +92,6 @@ def int_to_base36(i):
     return b36
 
 
-def is_same_domain(host, pattern):
-    """
-    Return ``True`` if the host is either an exact match or a match
-    to the wildcard pattern.
-
-    Any pattern beginning with a period matches a domain and all of its
-    subdomains. (e.g. ``.example.com`` matches ``example.com`` and
-    ``foo.example.com``). Anything else is an exact string match.
-    """
-    if not pattern:
-        return False
-
-    pattern = pattern.lower()
-    return (
-        pattern[0] == "."
-        and (host.endswith(pattern) or host == pattern[1:])
-        or pattern == host
-    )
-
-
 def escape_leading_slashes(url):
     """
     If redirecting to an absolute path (two leading slashes), a slash must be

{plain-0.64.0.dist-info → plain-0.65.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plain
-Version: 0.64.0
+Version: 0.65.0
 Summary: A web framework for building products with Python.
 Author-email: Dave Gaeddert <dave.gaeddert@dropseed.dev>
 License-File: LICENSE

{plain-0.64.0.dist-info → plain-0.65.0.dist-info}/RECORD

@@ -1,5 +1,5 @@
 plain/AGENTS.md,sha256=5XMGBpJgbCNIpp60DPXB7bpAtFk8FAzqiZke95T965o,1038
-plain/CHANGELOG.md,sha256=8EVqRYBSknRtM-becwiafkwoLHz3z2erO8dyULfVKfY,14516
+plain/CHANGELOG.md,sha256=VksQqN6aUmaBpAwFEeYBcjbOSWR-LwwWHB8kJmqK3fU,14815
 plain/README.md,sha256=5BJyKhf0TDanWVbOQyZ3zsi5Lov9xk-LlJYCDWofM6Y,4078
 plain/__main__.py,sha256=GK39854Lc_LO_JP8DzY9Y2MIQ4cQEl7SXFJy244-lC8,110
 plain/debug.py,sha256=XdjnXcbPGsi0J2SpHGaLthhYU5AjhBlkHdemaP4sbYY,758
@@ -57,8 +57,9 @@ plain/forms/forms.py,sha256=hF7Dl8rEaiBTZhFQyfbh1Zf54BSEka8RYpBiGqkTa8I,10441
 plain/http/README.md,sha256=hkjTJJ2_WEGm7vaIxjjNHrzD6EN5VI6pjDJPIR9l1jo,760
 plain/http/__init__.py,sha256=PfmXBIq7onLO_bbOrVdj5rJeHxqJMYqrIobVKupUzUA,1003
 plain/http/cookie.py,sha256=THd7nOl-2ugeBPKgOhbD87aM2oxUbNH8HWrarUn0fpM,1955
+plain/http/hosts.py,sha256=GbvFzle2VgPC2ehtXW8MM_1XD9gKuv7h-8HTOX3RiJA,4567
 plain/http/multipartparser.py,sha256=Z1dFJNAd8N5RHUuF67jh1jBfZOFepORsre_3ee6CgOQ,27266
-plain/http/request.py,sha256=93b2gqkfEsBczUyP_9vlueVoxyzzfbnJ423PDAk8aHc,26103
+plain/http/request.py,sha256=ikDCo5WOSKgHvDz8jn_CaFNa8grVxhWrR60lROLjRwI,24672
 plain/http/response.py,sha256=FM3otFkKEEkAaV_pVB3JUSMhMk7x_zf5JcDWKhOKviM,23223
 plain/internal/__init__.py,sha256=fVBaYLCXEQc-7riHMSlw3vMTTuF7-0Bj2I8aGzv0o0w,171
 plain/internal/files/__init__.py,sha256=VctFgox4Q1AWF3klPaoCC5GIw5KeLafYjY5JmN8mAVw,63
@@ -97,7 +98,7 @@ plain/preflight/security.py,sha256=oxUZBp2M0bpBfUoLYepIxoex2Y90nyjlrL8XU8UTHYY,2
 plain/preflight/urls.py,sha256=cQ-WnFa_5oztpKdtwhuIGb7pXEml__bHsjs1SWO2YNI,1468
 plain/runtime/README.md,sha256=sTqXXJkckwqkk9O06XMMSNRokAYjrZBnB50JD36BsYI,4873
 plain/runtime/__init__.py,sha256=byFYnHrpUCwkpkHtdNhxr9iUdLDCWJjy92HPj30Ilck,2478
-plain/runtime/global_settings.py,sha256=PjgrsTQc3aQ0YxbZ43Lj2eNrOcP6hf4jBjjQ2lT0MfE,5767
+plain/runtime/global_settings.py,sha256=GxcXFjXui5GLkiLlWe8P8X91ndShnmuJK0Ql6xjn24s,5826
 plain/runtime/user_settings.py,sha256=OzMiEkE6ZQ50nxd1WIqirXPiNuMAQULklYHEzgzLWgA,11027
 plain/runtime/utils.py,sha256=p5IuNTzc7Kq-9Ym7etYnt_xqHw5TioxfSkFeq1bKdgk,832
 plain/signals/README.md,sha256=XefXqROlDhzw7Z5l_nx6Mhq6n9jjQ-ECGbH0vvhKWYg,272
@@ -140,7 +141,7 @@ plain/utils/encoding.py,sha256=T0Shb2xRAR3NPwwoqhpUOB55gDprWzqu72aRiiulv9Y,4251
 plain/utils/functional.py,sha256=eJksrhVdkC8HKF56qtVyTOsOnkZB2jMUnXSTGzjJMF4,13331
 plain/utils/hashable.py,sha256=uLWobCCh7VcEPJ7xzVGPgigNVuTazYJbyzRzHTCI_wo,739
 plain/utils/html.py,sha256=SR8oNrungB5gxJaHbvAaCw_bAiqLQOk09fj-iIXY0i0,3679
-plain/utils/http.py,sha256=VOOnwRXnDp5PL_qEmkInLTm10fF58vlhVjeSTdzV2cQ,6031
+plain/utils/http.py,sha256=_YrXfauKOiEDr2beFK4UY2A2Am1Xz1BpZCho1A6I3W4,5471
 plain/utils/inspect.py,sha256=O3VMH5f4aGOrVpXJBKtQOxx01XrKnjjz6VO_MCV0xkE,1140
 plain/utils/ipv6.py,sha256=pISQ2AIlG8xXlxpphn388q03fq-fOrlu4GZR0YYjQXw,1267
 plain/utils/itercompat.py,sha256=lacIDjczhxbwG4ON_KfG1H6VNPOGOpbRhnVhbedo2CY,184
@@ -160,8 +161,8 @@ plain/views/forms.py,sha256=ESZOXuo6IeYixp1RZvPb94KplkowRiwO2eGJCM6zJI0,2400
 plain/views/objects.py,sha256=v3Vgvdoc1s0QW6JNWWrO5XXy9zF7vgwndgxX1eOSQoE,4999
 plain/views/redirect.py,sha256=Xpb3cB7nZYvKgkNqcAxf9Jwm2SWcQ0u2xz4oO5M3vP8,1909
 plain/views/templates.py,sha256=oAlebEyfES0rzBhfyEJzFmgLkpkbleA6Eip-8zDp-yk,1863
-plain-0.64.0.dist-info/METADATA,sha256=rXEqF5LoYBy2GzUEq2vrrhCDIG_Xn3VmyXAHgd4OdY4,4488
-plain-0.64.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-plain-0.64.0.dist-info/entry_points.txt,sha256=iGx7EijzXy87htbSv90RhtAcjhSTH_kvE8aeRCn1TRA,129
-plain-0.64.0.dist-info/licenses/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
-plain-0.64.0.dist-info/RECORD,,
+plain-0.65.0.dist-info/METADATA,sha256=L7dFhqvEh4ZVoSDn3ow2O751k6Rx4R_BCWv4I7__ZJw,4488
+plain-0.65.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+plain-0.65.0.dist-info/entry_points.txt,sha256=iGx7EijzXy87htbSv90RhtAcjhSTH_kvE8aeRCn1TRA,129
+plain-0.65.0.dist-info/licenses/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
+plain-0.65.0.dist-info/RECORD,,