plain 0.65.0__tar.gz → 0.66.0__tar.gz

{plain-0.65.0 → plain-0.66.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plain
-Version: 0.65.0
+Version: 0.66.0
 Summary: A web framework for building products with Python.
 Author-email: Dave Gaeddert <dave.gaeddert@dropseed.dev>
 License-File: LICENSE

{plain-0.65.0 → plain-0.66.0}/plain/CHANGELOG.md

@@ -1,5 +1,30 @@
 # plain changelog
 
+## [0.66.0](https://github.com/dropseed/plain/releases/plain@0.66.0) (2025-09-22)
+
+### What's changed
+
+- Host validation moved to dedicated middleware and `ALLOWED_HOSTS` setting is now required ([6a4b7be](https://github.com/dropseed/plain/commit/6a4b7be220))
+- Changed `request.get_port()` method to `request.port` cached property ([544f3e1](https://github.com/dropseed/plain/commit/544f3e19f8))
+- Removed internal `request._get_full_path()` method ([50cdb58](https://github.com/dropseed/plain/commit/50cdb58d4e))
+
+### Upgrade instructions
+
+- Add `ALLOWED_HOSTS` setting to your configuration if not already present (required for host validation)
+- Replace any usage of `request.get_host()` with `request.host`
+- Replace any usage of `request.get_port()` with `request.port`
+
+## [0.65.1](https://github.com/dropseed/plain/releases/plain@0.65.1) (2025-09-22)
+
+### What's changed
+
+- Fixed DisallowedHost exception handling in request span attributes to prevent telemetry errors ([bcc0005](https://github.com/dropseed/plain/commit/bcc000575b))
+- Removed cached property optimization for scheme/host to improve request processing reliability ([3a52690](https://github.com/dropseed/plain/commit/3a52690d47))
+
+### Upgrade instructions
+
+- No changes required
+
 ## [0.65.0](https://github.com/dropseed/plain/releases/plain@0.65.0) (2025-09-22)
 
 ### What's changed

{plain-0.65.0 → plain-0.66.0}/plain/csrf/middleware.py

@@ -2,7 +2,6 @@ import logging
 import re
 from urllib.parse import urlparse
 
-from plain.exceptions import DisallowedHost
 from plain.logs.utils import log_response
 from plain.runtime import settings
 
@@ -81,8 +80,8 @@ class CsrfViewMiddleware:
         if origin == "null":
             return False, "Cross-origin request detected - null Origin header"
 
-        try:
-            if (parsed_origin := urlparse(origin)) and (host := request.get_host()):
+        if (parsed_origin := urlparse(origin)) and (host := request.host):
+            try:
                 # Scheme-agnostic host:port comparison
                 origin_host = parsed_origin.hostname
                 origin_port = parsed_origin.port or (
@@ -97,7 +96,7 @@ class CsrfViewMiddleware:
                 # Use a fake scheme since we only care about host parsing
                 parsed_host = urlparse(f"http://{host}")
                 request_host = parsed_host.hostname or host
-                request_port = request.get_port()
+                request_port = request.port
 
                 # Compare hostname and port (scheme-agnostic)
                 # Both origin_host and request_host are normalized by urlparse (IPv6 brackets stripped)
@@ -110,8 +109,8 @@ class CsrfViewMiddleware:
                             True,
                             f"Same-origin request - Origin {origin} matches Host {host}",
                         )
-        except (ValueError, DisallowedHost):
-            pass
+            except ValueError:
+                pass
 
         # Origin present but doesn't match host
         return (

{plain-0.65.0 → plain-0.66.0}/plain/exceptions.py

@@ -67,12 +67,6 @@ class SuspiciousFileOperation(SuspiciousOperation):
     pass
 
 
-class DisallowedHost(SuspiciousOperation):
-    """HTTP_HOST header contains invalid value"""
-
-    pass
-
-
 class TooManyFieldsSent(SuspiciousOperation):
     """
     The number of fields in a GET or POST request exceeded

{plain-0.65.0 → plain-0.66.0}/plain/http/request.py

@@ -8,7 +8,6 @@ from itertools import chain
 from urllib.parse import parse_qsl, quote, urlencode, urljoin, urlsplit
 
 from plain.exceptions import (
-    DisallowedHost,
     ImproperlyConfigured,
     RequestDataTooBig,
     TooManyFieldsSent,
@@ -29,8 +28,6 @@ from plain.utils.datastructures import (
 from plain.utils.encoding import iri_to_uri
 from plain.utils.http import parse_header_parameters
 
-from .hosts import split_domain_port, validate_host
-
 
 class UnreadablePostError(OSError):
     pass
@@ -123,10 +120,13 @@ class HttpRequest:
             else:
                 self.encoding = self.content_params["charset"]
 
-    def _get_raw_host(self):
+    @cached_property
+    def host(self):
         """
-        Return the HTTP host using the environment or request headers. Skip
-        allowed hosts protection, so may return an insecure host.
+        Return the HTTP host using the environment or request headers.
+
+        Host validation is performed by HostValidationMiddleware, so this
+        property can safely return the host without any validation.
         """
         # We try three options, in order of decreasing preference.
         if settings.USE_X_FORWARDED_HOST and ("HTTP_X_FORWARDED_HOST" in self.meta):
@@ -136,34 +136,13 @@ class HttpRequest:
         else:
             # Reconstruct the host using the algorithm from PEP 333.
             host = self.meta["SERVER_NAME"]
-            server_port = self.get_port()
+            server_port = self.port
             if server_port != ("443" if self.is_https() else "80"):
                 host = f"{host}:{server_port}"
         return host
 
-    def get_host(self):
-        """Return the HTTP host using the environment or request headers."""
-        host = self._get_raw_host()
-
-        # Allow variants of localhost if ALLOWED_HOSTS is empty and DEBUG=True.
-        allowed_hosts = settings.ALLOWED_HOSTS
-        if settings.DEBUG and not allowed_hosts:
-            allowed_hosts = [".localhost", "127.0.0.1", "[::1]"]
-
-        domain, port = split_domain_port(host)
-        if domain and validate_host(domain, allowed_hosts):
-            return host
-        else:
-            msg = f"Invalid HTTP_HOST header: {host!r}."
-            if domain:
-                msg += f" You may need to add {domain!r} to ALLOWED_HOSTS."
-            else:
-                msg += (
-                    " The domain name provided is not valid according to RFC 1034/1035."
-                )
-            raise DisallowedHost(msg)
-
-    def get_port(self):
+    @cached_property
+    def port(self):
         """Return the port number for the request as a string."""
         if settings.USE_X_FORWARDED_PORT and "HTTP_X_FORWARDED_PORT" in self.meta:
             port = self.meta["HTTP_X_FORWARDED_PORT"]
@@ -172,9 +151,12 @@ class HttpRequest:
         return str(port)
 
     def get_full_path(self, force_append_slash=False):
-        return self._get_full_path(self.path, force_append_slash)
+        """
+        Return the full path for the request, including query string.
 
-    def _get_full_path(self, path, force_append_slash):
+        If force_append_slash is True, append a trailing slash if the path
+        doesn't already end with one.
+        """
         # RFC 3986 requires query string arguments to be in the ASCII range.
         # Rather than crash if this doesn't happen, we encode defensively.
 
@@ -195,8 +177,8 @@ class HttpRequest:
             return quote(path, safe="/:@&+$,-_.!~*'()")
 
         return "{}{}{}".format(
-            escape_uri_path(path),
-            "/" if force_append_slash and not path.endswith("/") else "",
+            escape_uri_path(self.path),
+            "/" if force_append_slash and not self.path.endswith("/") else "",
             ("?" + iri_to_uri(self.meta.get("QUERY_STRING", "")))
             if self.meta.get("QUERY_STRING", "")
             else "",
@@ -220,6 +202,8 @@ class HttpRequest:
             location = str(location)
         bits = urlsplit(location)
         if not (bits.scheme and bits.netloc):
+            current_scheme_host = f"{self.scheme}://{self.host}"
+
             # Handle the simple, most common case. If the location is absolute
             # and a scheme or host (netloc) isn't provided, skip an expensive
             # urljoin() as long as no path segments are '.' or '..'.
@@ -233,17 +217,14 @@ class HttpRequest:
                 # If location starts with '//' but has no netloc, reuse the
                 # schema and netloc from the current request. Strip the double
                 # slashes and continue as if it wasn't specified.
-                location = self._current_scheme_host + location.removeprefix("//")
+                location = current_scheme_host + location.removeprefix("//")
             else:
                 # Join the constructed URL with the provided location, which
                 # allows the provided location to apply query strings to the
                 # base path.
-                location = urljoin(self._current_scheme_host + self.path, location)
-        return iri_to_uri(location)
+                location = urljoin(current_scheme_host + self.path, location)
 
-    @cached_property
-    def _current_scheme_host(self):
-        return f"{self.scheme}://{self.get_host()}"
+        return iri_to_uri(location)
 
     def _get_scheme(self):
         """

{plain-0.65.0 → plain-0.66.0}/plain/internal/handlers/base.py

@@ -17,6 +17,7 @@ logger = logging.getLogger("plain.request")
 
 # These middleware classes are always used by Plain.
 BUILTIN_BEFORE_MIDDLEWARE = [
+    "plain.internal.middleware.hosts.HostValidationMiddleware",  # Validate Host header first
     "plain.internal.middleware.headers.DefaultHeadersMiddleware",  # Runs after response, to set missing headers
     "plain.internal.middleware.https.HttpsRedirectMiddleware",  # Runs before response, to redirect to HTTPS quickly
     "plain.csrf.middleware.CsrfViewMiddleware",  # Runs before and after get_response...

{plain-0.65.0/plain/http → plain-0.66.0/plain/internal/middleware}/hosts.py

@@ -1,19 +1,65 @@
-"""
-Host validation utilities for ALLOWED_HOSTS functionality.
-
-This module provides functions for validating hosts against allowed patterns,
-including domain patterns, wildcards, and CIDR notation for IP ranges.
-"""
-
 import ipaddress
+import logging
 
+from plain.http import HttpRequest, ResponseBadRequest
+from plain.runtime import settings
 from plain.utils.regex_helper import _lazy_re_compile
 
+logger = logging.getLogger(__name__)
+
 host_validation_re = _lazy_re_compile(
     r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])(:[0-9]+)?$"
 )
 
 
+class HostValidationMiddleware:
+    """
+    Middleware to validate the Host header against ALLOWED_HOSTS.
+
+    This middleware should run first to ensure all subsequent code can trust
+    that the host header is valid. Returns a 400 Bad Request response if the
+    host is not allowed.
+    """
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        if not is_host_valid(request):
+            host = request.host
+            msg = f"Invalid HTTP_HOST header: {host!r}."
+
+            domain, _ = split_domain_port(host)
+            if domain:
+                msg += f" You may need to add {domain!r} to ALLOWED_HOSTS."
+            else:
+                msg += (
+                    " The domain name provided is not valid according to RFC 1034/1035."
+                )
+
+            logger.warning(
+                msg,
+                extra={"status_code": 400, "request": request},
+            )
+
+            return ResponseBadRequest()
+
+        return self.get_response(request)
+
+
+def is_host_valid(request: HttpRequest) -> bool:
+    """
+    Check if the host is valid according to ALLOWED_HOSTS settings.
+    """
+    allowed_hosts = settings.ALLOWED_HOSTS
+
+    if not allowed_hosts:
+        return True  # Allow all hosts if ALLOWED_HOSTS is empty
+
+    domain, _ = split_domain_port(request.host)
+    return bool(domain) and validate_host(domain, allowed_hosts)
+
+
 def split_domain_port(host: str) -> tuple[str, str]:
     """
     Return a (domain, port) tuple from a given host.
@@ -36,7 +82,7 @@ def split_domain_port(host: str) -> tuple[str, str]:
     return domain, port
 
 
-def _is_same_domain(host: str, pattern: str) -> bool:
+def is_same_domain(host: str, pattern: str) -> bool:
     """
     Return ``True`` if the host is either an exact match or a match
     to the wildcard pattern.
@@ -56,7 +102,7 @@ def _is_same_domain(host: str, pattern: str) -> bool:
     )
 
 
-def _parse_ip_address(
+def parse_ip_address(
     host: str,
 ) -> ipaddress.IPv4Address | ipaddress.IPv6Address | None:
     """
@@ -75,7 +121,7 @@ def _parse_ip_address(
         return None
 
 
-def _parse_cidr_pattern(
+def parse_cidr_pattern(
     pattern: str,
 ) -> ipaddress.IPv4Network | ipaddress.IPv6Network | None:
     """
@@ -127,7 +173,7 @@ def validate_host(host: str, allowed_hosts: list[str]) -> bool:
     Return ``True`` for a valid host, ``False`` otherwise.
     """
     # Parse the host as an IP address if possible
-    host_ip = _parse_ip_address(host)
+    host_ip = parse_ip_address(host)
 
     for pattern in allowed_hosts:
         # Wildcard matches everything
@@ -135,13 +181,13 @@ def validate_host(host: str, allowed_hosts: list[str]) -> bool:
             return True
 
         # Check CIDR notation patterns using walrus operator
-        if network := _parse_cidr_pattern(pattern):
+        if network := parse_cidr_pattern(pattern):
             if host_ip and host_ip in network:
                 return True
             continue
 
         # For non-CIDR patterns, use existing domain matching logic
-        if _is_same_domain(host, pattern):
+        if is_same_domain(host, pattern):
             return True
 
     return False

{plain-0.65.0 → plain-0.66.0}/plain/internal/middleware/https.py

@@ -21,7 +21,6 @@ class HttpsRedirectMiddleware:
 
     def maybe_https_redirect(self, request):
         if self.https_redirect_enabled and not request.is_https():
-            host = request.get_host()
             return ResponseRedirect(
-                f"https://{host}{request.get_full_path()}", status_code=301
+                f"https://{request.host}{request.get_full_path()}", status_code=301
             )

{plain-0.65.0 → plain-0.66.0}/plain/internal/middleware/slash.py

@@ -65,7 +65,7 @@ class RedirectSlashMiddleware:
                 f"You called this URL via {request.method}, but the URL doesn't end "
                 "in a slash and you have APPEND_SLASH set. Plain can't "
                 f"redirect to the slash URL while maintaining {request.method} data. "
-                f"Change your form to point to {request.get_host() + new_path} (note the trailing "
+                f"Change your form to point to {request.host + new_path} (note the trailing "
                 "slash), or set APPEND_SLASH=False in your Plain settings."
             )
         return new_path

{plain-0.65.0 → plain-0.66.0}/plain/runtime/global_settings.py

@@ -25,7 +25,7 @@ URLS_ROUTER: str
 # Hosts/domain names that are valid for this site.
 # "*" matches anything, ".example.com" matches example.com and all subdomains
 # "192.168.1.0/24" matches IP addresses in that CIDR range
-ALLOWED_HOSTS: list[str] = []
+ALLOWED_HOSTS: list[str]
 
 # Default headers for all responses.
 DEFAULT_RESPONSE_HEADERS = {

{plain-0.65.0 → plain-0.66.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "plain"
-version = "0.65.0"
+version = "0.66.0"
 description = "A web framework for building products with Python."
 authors = [{name = "Dave Gaeddert", email = "dave.gaeddert@dropseed.dev"}]
 readme = "README.md"

{plain-0.65.0 → plain-0.66.0}/tests/app/settings.py

@@ -1,3 +1,4 @@
+ALLOWED_HOSTS = []
 SECRET_KEY = "secret"
 DEBUG = True
 

{plain-0.65.0 → plain-0.66.0}/tests/test_http_hosts.py

@@ -1,6 +1,6 @@
 import pytest
 
-from plain.http.hosts import split_domain_port, validate_host
+from plain.internal.middleware.hosts import split_domain_port, validate_host
 
 
 @pytest.mark.parametrize(

{plain-0.65.0 → plain-0.66.0}/tests/test_wsgi.py

@@ -8,7 +8,6 @@ def test_wsgi_handler():
     Test the default plain.wsgi.app import and
     basic behavior with minimal environ input.
     """
-
     wsgi = WSGIHandler()
     response = wsgi(
         {