Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

runserver doesn't respect host setting #449

Open
mikh3x4 opened this issue Mar 15, 2022 · 3 comments
Open

runserver doesn't respect host setting #449

mikh3x4 opened this issue Mar 15, 2022 · 3 comments
Labels
help wanted

Comments

@mikh3x4
Copy link

mikh3x4 commented Mar 15, 2022

aiohttp-devtools version: 1.0.post0
aiohttp version: 3.8.1
python version: 3.10
Platform: mac

Issue Summary

adev runserver doesn't respect the host setting - it always uses 0.0.0.0 which means the server can be always accused from any computer on the network.

Steps to reproduce

create a file test.py

from aiohttp import web

class Main:
    def __init__(self):
        self.app = web.Application()
        self.app.router.add_get('/', self.handle_request)

    async def handle_request(self, request):
        return web.Response(text="testing", content_type='text/html')

def get_app():
    page = Main()
    return page.app

and run command adev runserver test.py --host localhost

As expected we can access the page from the computer it is running on. However it is also possible to access the page from any other computer on the network, which (according to my understanding) shouldn't be possible with this host setting.

If this is indeed and issue then I suspect its because of using HOST instead of host here:

aiohttp-devtools/aiohttp_devtools/runserver/main.py

Line 65 in 3e517d2

return {"app": aux_app, "host": HOST, "port": config.aux_port,

If it is not an issue how could I restrict the dev server to only be accessible from localhost?
@Dreamsorcerer
Copy link
Member

I'll take a closer look later, but the documentation just says that it is the host to access the static files:
https://github.com/aio-libs/aiohttp-devtools/blob/master/aiohttp_devtools/cli.py#L49-L50

Maybe you're confusing it with the --hosts option in aiohttp-debugtoolbar?
https://github.com/aio-libs/aiohttp-debugtoolbar#settings

@mikh3x4
Copy link
Author

mikh3x4 commented Mar 15, 2022

It also doesn’t change the host of the static server

aiohttp-devtools/aiohttp_devtools/runserver/main.py

Line 81 in 3e517d2

return {"app": app, "host": HOST, "port": port,

@Dreamsorcerer
Copy link
Member

OK, so the setting appears to get used here:
https://github.com/aio-libs/aiohttp-devtools/blob/master/aiohttp_devtools/runserver/serve.py#L55

To change the host used for the static server.

I'm not really sure how well that works, or if it's worth changing it. We could probably add a new option for setting the binding address, or maybe repurpose this option. Feel free to give it a go.

@Dreamsorcerer Dreamsorcerer mentioned this issue May 15, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Dreamsorcerer @mikh3x4