Merge branch 'master' into dependabot/pip/python-packages-2e871ce8bd

encode · Oct 9, 2024 · b4892fe · b4892fe
2 parents cd34184 + 108b1c9
commit b4892fe
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 3 deletions.
diff --git a/docs/deployment.md b/docs/deployment.md
@@ -376,7 +376,7 @@ Uvicorn can use these headers to correctly set the client and protocol in the re
 However as anyone can set these headers you must configure which "clients" you will trust to have set them correctly.
 
 Uvicorn can be configured to trust IP Addresses (e.g. `127.0.0.1`), IP Networks (e.g. `10.100.0.0/16`),
-or Literals (e.g. `/path/to/socket.sock`). When running from CLI these are configured using `--forwarded-trust-ips`.
+or Literals (e.g. `/path/to/socket.sock`). When running from CLI these are configured using `--forwarded-allow-ips`.
 
 !!! Warning "Only trust clients you can actually trust!"
     Incorrectly trusting other clients can lead to malicious actors spoofing their apparent client address to your application.

diff --git a/tests/middleware/test_proxy_headers.py b/tests/middleware/test_proxy_headers.py
@@ -56,6 +56,7 @@ def make_httpx_client(
 # of the _TrustedHosts.__init__ method.
 _TRUSTED_NOTHING: list[str] = []
 _TRUSTED_EVERYTHING = "*"
+_TRUSTED_EVERYTHING_LIST = ["*"]
 _TRUSTED_IPv4_ADDRESSES = "127.0.0.1, 10.0.0.1"
 _TRUSTED_IPv4_NETWORKS = ["127.0.0.0/8", "10.0.0.0/8"]
 _TRUSTED_IPv6_ADDRESSES = [
@@ -65,7 +66,7 @@ def make_httpx_client(
     "::11.22.33.44",  # This is a dual address
 ]
 _TRUSTED_IPv6_NETWORKS = "2001:db8:abcd:0012::0/64"
-_TRUSTED_LITERALS = "some-literal , unix:///foo/bar  ,  /foo/bar"
+_TRUSTED_LITERALS = "some-literal , unix:///foo/bar  ,  /foo/bar, garba*gewith*"
 
 
 @pytest.mark.parametrize(
@@ -122,6 +123,7 @@ def make_httpx_client(
         (_TRUSTED_EVERYTHING, "192.168.0.0", True),
         (_TRUSTED_EVERYTHING, "192.168.0.1", True),
         (_TRUSTED_EVERYTHING, "1.1.1.1", True),
+        (_TRUSTED_EVERYTHING_LIST, "1.1.1.1", True),
         # Test IPv6 Addresses
         (_TRUSTED_EVERYTHING, "2001:db8::", True),
         (_TRUSTED_EVERYTHING, "2001:db8:abcd:0012::0", True),
@@ -136,6 +138,7 @@ def make_httpx_client(
         (_TRUSTED_EVERYTHING, "::b16:212c", True),  # aka ::11.22.33.44
         (_TRUSTED_EVERYTHING, "a:b:c:d::", True),
         (_TRUSTED_EVERYTHING, "::a:b:c:d", True),
+        (_TRUSTED_EVERYTHING_LIST, "::a:b:c:d", True),
         # Test Literals
         (_TRUSTED_EVERYTHING, "some-literal", True),
         (_TRUSTED_EVERYTHING, "unix:///foo/bar", True),
@@ -145,6 +148,7 @@ def make_httpx_client(
         (_TRUSTED_EVERYTHING, "unix:///another/path", True),
         (_TRUSTED_EVERYTHING, "/another/path", True),
         (_TRUSTED_EVERYTHING, "", True),
+        (_TRUSTED_EVERYTHING_LIST, "", True),
         ## Trust IPv4 Addresses
         ## -----------------------------
         # Test IPv4 Addresses

diff --git a/uvicorn/middleware/proxy_headers.py b/uvicorn/middleware/proxy_headers.py
@@ -68,7 +68,7 @@ class _TrustedHosts:
     """Container for trusted hosts and networks"""
 
     def __init__(self, trusted_hosts: list[str] | str) -> None:
-        self.always_trust: bool = trusted_hosts == "*"
+        self.always_trust: bool = trusted_hosts in ("*", ["*"])
 
         self.trusted_literals: set[str] = set()
         self.trusted_hosts: set[ipaddress.IPv4Address | ipaddress.IPv6Address] = set()