Hi, On Wed, Nov 2, 2016 at 5:46 AM, Michael Wood <[email protected]> wrote:
> On 02/11/16 00:03, brian avery wrote: > >> As of Django 1.8.16, django is rejecting any HTTP_HOST header that is >> not on the ALLOWED_HOST list. We often need to reference the >> toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for >> instance, and are hitting the server from a laptop. This change does >> reduce the protection from a DNS rebinding attack, however, if you are >> running the toaster server outside a protected network, you need to be >> using the production instance. >> >> Fixes [YOCTO #10578 ]. >> >> Signed-off-by: brian avery <[email protected]> >> --- >> lib/toaster/toastermain/settings.py | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/lib/toaster/toastermain/settings.py >> b/lib/toaster/toastermain/settings.py >> index 3dfa2b2..718e809 100644 >> --- a/lib/toaster/toastermain/settings.py >> +++ b/lib/toaster/toastermain/settings.py >> @@ -62,7 +62,9 @@ if 'sqlite' in DATABASES['default']['ENGINE']: >> # Hosts/domain names that are valid for this site; required if DEBUG >> is False >> # See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts >> -ALLOWED_HOSTS = [] >> +# update as of django 1.8.16 release, the '*' is needed to allow us to >> connect while running >> +# on hosts with unknown fqdn. https://docs.djangoproject.com >> /en/dev/ref/settings/ >> +ALLOWED_HOSTS = ['localhost','127.0.0.1','::1','*'] >> > > This is an odd way to express the ALLOWED_HOSTS, you've specified 3 > allowed ones and then said, "aannnd everything!" this could easily be > missed by anyone using the default configuration. I think it would be > better either to restore the old behaviour by doing: > > if DEBUG is True: > ALLOWED_HOSTS = [ '*' ] > I don't mind the if DEBUG part. The value ['localhost','127.0.0.1','::1'] is what we are currently getting by setting > ALLOWED_HOSTS = [ ] > so I wanted to 1) make it clear what the old default was 2) provide a place to replace '*' with 'cow.intel.com' and have the system still work. If I do > ALLOWED_HOSTS = [ 'cow.intel.com'], then std usage aka > http://localhost:8000 would break > if I do ALLOWED_HOSTS = ['localhost','127.0.0.1','::1','cow.intel.com'] then it will work as I would expect. > or by being smarter and inspecting the value of the environment variable > ADDR_PORT and appending a best value for ALLOWED_HOSTS. > > I've opened a bug to provide an example production environment settings > file which will help with this sort of problem. > https://bugzilla.yoctoproject.org/show_bug.cgi?id=10581 Well, we already have a production setup and generally this is handled at the nginx layer so that the django server doesn't even see it. -b > > > # Local time zone for this installation. Choices can be found here: >> # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name >> > > > -- > _______________________________________________ > toaster mailing list > [email protected] > https://lists.yoctoproject.org/listinfo/toaster >
-- _______________________________________________ toaster mailing list [email protected] https://lists.yoctoproject.org/listinfo/toaster
