relax get_host strictness (#3148)

davidism · web-flow · commit 7926f0bc3a0d · 2026-04-02T08:36:37.000-07:00
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -5,6 +5,9 @@ Version 3.1.8
 
 Unreleased
 
+-   ``Request.host`` and ``get_host`` return the empty string if the header is
+    missing or has invalid characters. :issue:`3142`
+
 
 Version 3.1.7
 -------------
diff --git a/src/werkzeug/sansio/utils.py b/src/werkzeug/sansio/utils.py
@@ -92,6 +92,10 @@ def get_host(
     up of valid characters, but this does not check validity beyond that. If a
     list of trusted domains is given, the domain must match one.
 
+    If the host header is not available, such as for HTTP/0.9 and 1.0, or it has
+    invalid characters, the empty string is returned. Subdomain and host
+    routing, and external URL building, will not work in these cases.
+
     :param scheme: The protocol of the request. Used to omit the standard ports
         80 and 443.
     :param host_header: The ``Host`` header value.
@@ -107,7 +111,11 @@ def get_host(
     :return: Host, with port if necessary.
     :raise .SecurityError: If the host is not trusted.
 
-    .. versionchanged:: 3.2
+    .. versionchanged:: 3.1.8
+        The empty string is again returned if no host header value is available,
+        or if the characters are invalid.
+
+    .. versionchanged:: 3.1.7
         The characters of the host value are validated. The empty string is no
         longer allowed if no header value is available.
 
@@ -130,15 +138,20 @@ def get_host(
 
         host = f"{host}:{server[1]}"
     else:
-        host = ""
+        # Pass through empty host from HTTP/0.9 and 1.0.
+        return ""
 
     if scheme in {"http", "ws"}:
         host = host.removesuffix(":80")
     elif scheme in {"https", "wss"}:
         host = host.removesuffix(":443")
 
     if not host_is_trusted(host, trusted_hosts):
-        raise SecurityError(f"Host {host!r} is not trusted.")
+        if trusted_hosts:
+            raise SecurityError(f"Host {host!r} is not trusted.")
+
+        # Invalid characters, treat as empty.
+        return ""
 
     return host
 
diff --git a/tests/sansio/test_utils.py b/tests/sansio/test_utils.py
@@ -2,7 +2,6 @@
 
 import pytest
 
-from werkzeug.exceptions import SecurityError
 from werkzeug.sansio.utils import get_content_length
 from werkzeug.sansio.utils import get_host
 
@@ -37,23 +36,19 @@ def test_get_host(
     assert get_host(scheme, host_header, server) == expected
 
 
-def test_get_host_unix_invalid() -> None:
-    with pytest.raises(SecurityError):
-        get_host("http", None, ("unix/socket", None))
+def test_get_host_unix() -> None:
+    assert get_host("http", None, ("unix/socket", None)) == ""
 
 
-def test_get_host_missing_invalid() -> None:
-    with pytest.raises(SecurityError):
-        get_host("http", None, None)
+def test_get_host_missing() -> None:
+    assert get_host("http", None, None) == ""
 
 
 @pytest.mark.parametrize(
-    "value",
-    ["", "a.test:8080@b.test", "a.test:port", "[z:443]:8080"],
+    "value", ["", "a.test:8080@b.test", "a.test:port", "[z:443]:8080"]
 )
 def test_get_host_invalid(value: str | None) -> None:
-    with pytest.raises(SecurityError):
-        get_host("http", value, None)
+    assert get_host("http", value, None) == ""
 
 
 @pytest.mark.parametrize(
