diff options
| author | Tim Graham <timograham@gmail.com> | 2016-10-17 12:14:49 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-10-25 15:18:29 -0400 |
| commit | 45acd6d836895a4c36575f48b3fb36a3dae98d19 (patch) | |
| tree | 8c6c9240ac82443b3e425a2dd72115dae9201f57 /docs/ref | |
| parent | 4844d86c7728c1a5a3bbce4ad336a8d32304072b (diff) | |
[1.9.x] Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True.
This is a security fix.
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/settings.txt | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 63aca2e978..ba5ae2e351 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -90,14 +90,18 @@ If the ``Host`` header (or ``X-Forwarded-Host`` if list, the :meth:`django.http.HttpRequest.get_host()` method will raise :exc:`~django.core.exceptions.SuspiciousOperation`. -When :setting:`DEBUG` is ``True`` or when running tests, host validation is -disabled; any host will be accepted. Thus it's usually only necessary to set it -in production. +When :setting:`DEBUG` is ``True`` and ``ALLOWED_HOSTS`` is empty, the host +is validated against ``['localhost', '127.0.0.1', '[::1]']``. This validation only applies via :meth:`~django.http.HttpRequest.get_host()`; if your code accesses the ``Host`` header directly from ``request.META`` you are bypassing this security protection. +.. versionchanged:: 1.9.11 + + In older versions, ``ALLOWED_HOSTS`` wasn't checked if ``DEBUG=True``. + This was also changed in Django 1.8.16 to prevent a DNS rebinding attack. + .. setting:: ALLOWED_INCLUDE_ROOTS ALLOWED_INCLUDE_ROOTS |
