summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorCarl Meyer <carl@oddbird.net>2013-02-09 12:25:52 -0700
committerAymeric Augustin <aymeric.augustin@m4x.org>2013-02-12 11:41:43 +0100
commit27cd872e6e36a81d0bb6f5b8765a1705fecfc253 (patch)
tree3edf53617ba027f636fa1576987bed9537d4aa1a /docs
parent6e70f67470d6d4baf87728702886f89ac075b73c (diff)
[1.3.x] Added ALLOWED_HOSTS setting for HTTP host header validation.
This is a security fix; disclosure and advisory coming shortly.
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/settings.txt36
-rw-r--r--docs/releases/1.3.6.txt31
-rw-r--r--docs/releases/index.txt1
3 files changed, 68 insertions, 0 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 24ccb5f949..68869f166c 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -82,6 +82,42 @@ of (Full name, e-mail address). Example::
Note that Django will e-mail *all* of these people whenever an error happens.
See :doc:`/howto/error-reporting` for more information.
+.. setting:: ALLOWED_HOSTS
+
+ALLOWED_HOSTS
+-------------
+
+Default: ``['*']``
+
+A list of strings representing the host/domain names that this Django site can
+serve. This is a security measure to prevent an attacker from poisoning caches
+and password reset emails with links to malicious hosts by submitting requests
+with a fake HTTP ``Host`` header, which is possible even under many
+seemingly-safe webserver configurations.
+
+Values in this list can be fully qualified names (e.g. ``'www.example.com'``),
+in which case they will be matched against the request's ``Host`` header
+exactly (case-insensitive, not including port). A value beginning with a period
+can be used as a subdomain wildcard: ``'.example.com'`` will match
+``example.com``, ``www.example.com``, and any other subdomain of
+``example.com``. A value of ``'*'`` will match anything; in this case you are
+responsible to provide your own validation of the ``Host`` header (perhaps in a
+middleware; if so this middleware must be listed first in
+:setting:`MIDDLEWARE_CLASSES`).
+
+If the ``Host`` header (or ``X-Forwarded-Host`` if
+:setting:`USE_X_FORWARDED_HOST` is enabled) does not match any value in this
+list, the :meth:`django.http.HttpRequest.get_host()` method will raise
+:exc:`~django.core.exceptions.SuspiciousOperation`.
+
+When :setting:`DEBUG` is ``True`` or when running tests, host validation is
+disabled; any host will be accepted. Thus it's usually only necessary to set it
+in production.
+
+This validation only applies via :meth:`~django.http.HttpRequest.get_host()`;
+if your code accesses the ``Host`` header directly from ``request.META`` you
+are bypassing this security protection.
+
.. setting:: ALLOWED_INCLUDE_ROOTS
ALLOWED_INCLUDE_ROOTS
diff --git a/docs/releases/1.3.6.txt b/docs/releases/1.3.6.txt
new file mode 100644
index 0000000000..c1e4bed2c7
--- /dev/null
+++ b/docs/releases/1.3.6.txt
@@ -0,0 +1,31 @@
+==========================
+Django 1.3.6 release notes
+==========================
+
+*February 19, 2013*
+
+This is the sixth bugfix/security release in the Django 1.3 series.
+
+Host header poisoning
+---------------------
+
+Some parts of Django -- independent of end-user-written applications -- make
+use of full URLs, including domain name, which are generated from the HTTP Host
+header. Django's documentation has for some time contained notes advising users
+on how to configure webservers to ensure that only valid Host headers can reach
+the Django application. However, it has been reported to us that even with the
+recommended webserver configurations there are still techniques available for
+tricking many common webservers into supplying the application with an
+incorrect and possibly malicious Host header.
+
+For this reason, Django 1.3.6 adds a new setting, ``ALLOWED_HOSTS``, which
+should contain an explicit list of valid host/domain names for this site. A
+request with a Host header not matching an entry in this list will raise
+``SuspiciousOperation`` if ``request.get_host()`` is called. For full details
+see the documentation for the :setting:`ALLOWED_HOSTS` setting.
+
+The default value for this setting in Django 1.3.6 is `['*']` (matching any
+host), for backwards-compatibility, but we strongly encourage all sites to set
+a more restrictive value.
+
+This host validation is disabled when ``DEBUG`` is ``True`` or when running tests.
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 40fe5b0e02..3f14936fea 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -19,6 +19,7 @@ Final releases
.. toctree::
:maxdepth: 1
+ 1.3.6
1.3.1
1.3