As of Django 1.8.16, django is rejecting any HTTP_HOST header that is not on the ALLOWED_HOST list. We often need to reference the toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for instance, and are hitting the server from a laptop. This change does reduce the protection from a DNS rebinding attack, however, if you are running the toaster server outside a protected network, you need to be using the production instance.
Fixes [YOCTO #10578 ]. Signed-off-by: brian avery <[email protected]> --- lib/toaster/toastermain/settings.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/toaster/toastermain/settings.py b/lib/toaster/toastermain/settings.py index 3dfa2b2..718e809 100644 --- a/lib/toaster/toastermain/settings.py +++ b/lib/toaster/toastermain/settings.py @@ -62,7 +62,9 @@ if 'sqlite' in DATABASES['default']['ENGINE']: # Hosts/domain names that are valid for this site; required if DEBUG is False # See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts -ALLOWED_HOSTS = [] +# update as of django 1.8.16 release, the '*' is needed to allow us to connect while running +# on hosts with unknown fqdn. https://docs.djangoproject.com/en/dev/ref/settings/ +ALLOWED_HOSTS = ['localhost','127.0.0.1','::1','*'] # Local time zone for this installation. Choices can be found here: # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name -- 1.9.1 -- _______________________________________________ toaster mailing list [email protected] https://lists.yoctoproject.org/listinfo/toaster
