On Friday, January 28, 2011 2:09:06 AM UTC+11, Tom Evans wrote: > > On Wed, Jan 26, 2011 at 6:18 PM, Jari Pennanen <[email protected]> > wrote: > > On Jan 26, 6:56 pm, FeatherDark <[email protected]> wrote: > >> Greetings huge django developer list, > >> I just wanted to mention, this method totally works for me, I call it > >> "Skinning" > >> > >> In the templates folder I have a file called "base.html' > >> Inside that file is only 1 line: > >> {% extends request.META.HTTP_HOST|cut:':'|add:'.html'%} > > > > request.META.HTTP_HOST is coming from Client. "Trust but verify", you > > are not verifying this. It could pose a security risk. One could send > > a request with malicious Host header and make the site retrieve > > different template. This is not a serious issue, since you probably > > don't have templates that would wreak havoc. > > > > Why don't you create own template context processor that would add the > > verified HTTP_HOST to template context? Then you could do just > > > > {% extend MY_VERIFIED_HTTP_HOST %} > > > > See: > > > http://docs.djangoproject.com/en/dev/ref/request-response/#django.http.HttpRequest.META > > > http://docs.djangoproject.com/en/dev/ref/templates/api/#writing-your-own-context-processors > > > > request.META['HTTP_HOST'] is also the primary mechanism for > determining which website to serve when doing virtual hosting, IE if > you use apache and your site is hosted in a structure like: > > NameVirtualHost *:80 > <VirtualHost *:80> > ServerName www.foo.com > ServerAlias *.foo.com *.bar.com *.quuz.com > .... > </VirtualHost> > > Then that variable already is being verified. >
Yes and no. Apache uses it to resolve name based virtual hosts, but if it cant match it against a specific virtual host from memory it routes the request to the first VirtualHost which was found in the Apache configuration for that port. Have many times seen broken VirtualHost configurations which shouldn't work, but seem to, because the user only had one VirtualHost definition and so Apache was routing the request to it anyway. If you were going to be rigorous you would add a dummy VirtualHost as first in Apache configuration and have 'Deny from all' in it so that any attempts to access unknown host would fallback to this and get forbidden. Graham -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
