summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2016-10-17 12:14:49 -0400
committerTim Graham <timograham@gmail.com>2016-11-01 09:36:44 -0400
commit884e113838e5a72b4b0ec9e5e87aa480f6aa4472 (patch)
tree97ce5e895dfd3c655d10983c3805725e641db6a6 /docs/ref
parent34e10720d81b8d407aa14d763b6a7fe8f13b4f2e (diff)
[1.10.x] Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True.
This is a security fix.
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/settings.txt11
1 files changed, 8 insertions, 3 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 6ddc219bca..d908c4d9df 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -90,14 +90,19 @@ If the ``Host`` header (or ``X-Forwarded-Host`` if
list, the :meth:`django.http.HttpRequest.get_host()` method will raise
:exc:`~django.core.exceptions.SuspiciousOperation`.
-When :setting:`DEBUG` is ``True`` or when running tests, host validation is
-disabled; any host will be accepted. Thus it's usually only necessary to set it
-in production.
+When :setting:`DEBUG` is ``True`` and ``ALLOWED_HOSTS`` is empty, the host
+is validated against ``['localhost', '127.0.0.1', '[::1]']``.
This validation only applies via :meth:`~django.http.HttpRequest.get_host()`;
if your code accesses the ``Host`` header directly from ``request.META`` you
are bypassing this security protection.
+.. versionchanged:: 1.10.3
+
+ In older versions, ``ALLOWED_HOSTS`` wasn't checked if ``DEBUG=True``.
+ This was also changed in Django 1.9.11 and 1.8.16 to prevent a
+ DNS rebinding attack.
+
.. setting:: APPEND_SLASH
``APPEND_SLASH``