Re: ANNOUNCE: Django 1.5 release candidate 2, Django 1.4.4, Django 1.3.6 (security releases)

2013-02-20 Thread Carl Meyer
On Feb 20, 2013, at 6:25 PM, Ian Kelly wrote: > On Feb 20, 2013 4:41 PM, "Carl Meyer" wrote: > > On 02/20/2013 04:25 PM, Nick Phillips wrote: > > >> There was extensive back-and-forth discussion of this in writing the > > >> patch. The issue is that in

Re: ANNOUNCE: Django 1.5 release candidate 2, Django 1.4.4, Django 1.3.6 (security releases)

2013-02-20 Thread Ian Kelly
On Feb 20, 2013 4:41 PM, "Carl Meyer" wrote: > > On 02/20/2013 04:25 PM, Nick Phillips wrote: > >> There was extensive back-and-forth discussion of this in writing the > >> patch. The issue is that in almost all cases the correct value of the > >> setting in local development

Re: ANNOUNCE: Django 1.5 release candidate 2, Django 1.4.4, Django 1.3.6 (security releases)

2013-02-20 Thread Carl Meyer
On 02/20/2013 04:25 PM, Nick Phillips wrote: >> There was extensive back-and-forth discussion of this in writing the >> patch. The issue is that in almost all cases the correct value of the >> setting in local development and under test are different from the >> correct value in production. So how

Re: ANNOUNCE: Django 1.5 release candidate 2, Django 1.4.4, Django 1.3.6 (security releases)

2013-02-20 Thread Nick Phillips
On Tue, 2013-02-19 at 15:46 -0700, Carl Meyer wrote: > Hi Nick, > > On 02/19/2013 03:32 PM, Nick Phillips wrote: > > I don't recall looking at the ALLOWED_HOSTS setting before. Now that I > > do, it seems rather problematic. In particular, that host verification > > is apparently turned off while

Re: ANNOUNCE: Django 1.5 release candidate 2, Django 1.4.4, Django 1.3.6 (security releases)

2013-02-20 Thread Carl Meyer
On 02/20/2013 01:58 AM, Reinout van Rees wrote: > On 19-02-13 23:32, Nick Phillips wrote: >> I don't recall looking at the ALLOWED_HOSTS setting before. > > Should there be a note in the 1.4 docs that the default ['*'] value is a > temporary default value? That from 1.5 onwards it will be an

Re: ANNOUNCE: Django 1.5 release candidate 2, Django 1.4.4, Django 1.3.6 (security releases)

2013-02-20 Thread Reinout van Rees
On 19-02-13 23:32, Nick Phillips wrote: I don't recall looking at the ALLOWED_HOSTS setting before. Should there be a note in the 1.4 docs that the default ['*'] value is a temporary default value? That from 1.5 onwards it will be an empty list?

Re: ANNOUNCE: Django 1.5 release candidate 2, Django 1.4.4, Django 1.3.6 (security releases)

2013-02-19 Thread Carl Meyer
Hi Nick, On 02/19/2013 03:32 PM, Nick Phillips wrote: > I don't recall looking at the ALLOWED_HOSTS setting before. Now that I > do, it seems rather problematic. In particular, that host verification > is apparently turned off while DEBUG is True or while testing. > > Surely this makes it

Re: ANNOUNCE: Django 1.5 release candidate 2, Django 1.4.4, Django 1.3.6 (security releases)

2013-02-19 Thread Nick Phillips
On Tue, 2013-02-19 at 14:50 -0600, James Bennett wrote: > We've issued several security releases today. Details are in the blog post: > > https://www.djangoproject.com/weblog/2013/feb/19/security/ > > We recommend everyone carefully read this one, as it has an > end-user-visible change requiring

ANNOUNCE: Django 1.5 release candidate 2, Django 1.4.4, Django 1.3.6 (security releases)

2013-02-19 Thread James Bennett
We've issued several security releases today. Details are in the blog post: https://www.djangoproject.com/weblog/2013/feb/19/security/ We recommend everyone carefully read this one, as it has an end-user-visible change requiring action beyond simply upgrading your Django package. -- You