[Toaster] [PATCH 1/1] toaster: settings.py , add * to ALLOWED_HOSTS
Michael Wood
michael.g.wood at intel.com
Wed Nov 2 05:46:03 PDT 2016
On 02/11/16 00:03, brian avery wrote:
> As of Django 1.8.16, django is rejecting any HTTP_HOST header that is
> not on the ALLOWED_HOST list. We often need to reference the
> toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for
> instance, and are hitting the server from a laptop. This change does
> reduce the protection from a DNS rebinding attack, however, if you are
> running the toaster server outside a protected network, you need to be
> using the production instance.
>
> Fixes [YOCTO #10578 ].
>
> Signed-off-by: brian avery <brian.avery at intel.com>
> ---
> lib/toaster/toastermain/settings.py | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/lib/toaster/toastermain/settings.py b/lib/toaster/toastermain/settings.py
> index 3dfa2b2..718e809 100644
> --- a/lib/toaster/toastermain/settings.py
> +++ b/lib/toaster/toastermain/settings.py
> @@ -62,7 +62,9 @@ if 'sqlite' in DATABASES['default']['ENGINE']:
>
> # Hosts/domain names that are valid for this site; required if DEBUG is False
> # See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts
> -ALLOWED_HOSTS = []
> +# update as of django 1.8.16 release, the '*' is needed to allow us to connect while running
> +# on hosts with unknown fqdn. https://docs.djangoproject.com/en/dev/ref/settings/
> +ALLOWED_HOSTS = ['localhost','127.0.0.1','::1','*']
This is an odd way to express the ALLOWED_HOSTS, you've specified 3
allowed ones and then said, "aannnd everything!" this could easily be
missed by anyone using the default configuration. I think it would be
better either to restore the old behaviour by doing:
if DEBUG is True:
ALLOWED_HOSTS = [ '*' ]
or by being smarter and inspecting the value of the environment variable
ADDR_PORT and appending a best value for ALLOWED_HOSTS.
I've opened a bug to provide an example production environment settings
file which will help with this sort of problem.
https://bugzilla.yoctoproject.org/show_bug.cgi?id=10581
>
> # Local time zone for this installation. Choices can be found here:
> # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
More information about the toaster
mailing list