id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
29606	Validate the type of ALLOWED_HOSTS	rafis	Marius Räsener	"Python has soft behavior for conducting iteration process over lists and over strings making them look the same:
{{{#!python
    for char_or_item in str_or_list:
        -- `char_or_item` can be character or list item
}}}
It would be better if it would have more strict behavior, for example,
{{{#!python
    for char in some_str.chars():
        -- now `char` can be only of string type and `list` class would not have `chars` method
}}}
and for list
{{{#!python
    for item in some_list.list_items():
        -- `string` class would not have `list_items` method
}}}
This soft behavior usually leads to many nasty bugs to appear. Our two software engineers from our team wasted about 1 hour debugging the issue with ALLOWED_HOSTS being initialized with string in `local_settings.py` which is included at the end of `settings.py`. Django was matching each separate character of ALLOWED_HOSTS string against the ""Host:"" header from an incoming HTTP request.

An obvious self-suggesting solution is to add a new system check that will check the type of ALLOWED_HOSTS if it is string or not and notify the developer about possible improper configuration. I think blacklist checking (string or not) is more appropiate here, but I can be wrong."	New feature	closed	Core (Other)	dev	Normal	fixed	allowed_hosts	Adam Johnson Herbert Fortes Marius Räsener	Ready for checkin	1	0	0	0	1	0