diff options
| author | Tim Graham <timograham@gmail.com> | 2016-10-17 12:14:49 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-11-01 09:36:44 -0400 |
| commit | 884e113838e5a72b4b0ec9e5e87aa480f6aa4472 (patch) | |
| tree | 97ce5e895dfd3c655d10983c3805725e641db6a6 /docs | |
| parent | 34e10720d81b8d407aa14d763b6a7fe8f13b4f2e (diff) | |
[1.10.x] Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True.
This is a security fix.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/settings.txt | 11 | ||||
| -rw-r--r-- | docs/releases/1.10.3.txt | 22 | ||||
| -rw-r--r-- | docs/releases/1.8.16.txt | 22 | ||||
| -rw-r--r-- | docs/releases/1.9.11.txt | 22 |
4 files changed, 74 insertions, 3 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 6ddc219bca..d908c4d9df 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -90,14 +90,19 @@ If the ``Host`` header (or ``X-Forwarded-Host`` if list, the :meth:`django.http.HttpRequest.get_host()` method will raise :exc:`~django.core.exceptions.SuspiciousOperation`. -When :setting:`DEBUG` is ``True`` or when running tests, host validation is -disabled; any host will be accepted. Thus it's usually only necessary to set it -in production. +When :setting:`DEBUG` is ``True`` and ``ALLOWED_HOSTS`` is empty, the host +is validated against ``['localhost', '127.0.0.1', '[::1]']``. This validation only applies via :meth:`~django.http.HttpRequest.get_host()`; if your code accesses the ``Host`` header directly from ``request.META`` you are bypassing this security protection. +.. versionchanged:: 1.10.3 + + In older versions, ``ALLOWED_HOSTS`` wasn't checked if ``DEBUG=True``. + This was also changed in Django 1.9.11 and 1.8.16 to prevent a + DNS rebinding attack. + .. setting:: APPEND_SLASH ``APPEND_SLASH`` diff --git a/docs/releases/1.10.3.txt b/docs/releases/1.10.3.txt index 953544d55b..4f0b19f651 100644 --- a/docs/releases/1.10.3.txt +++ b/docs/releases/1.10.3.txt @@ -20,6 +20,28 @@ the ``manage.py test --keepdb`` option or if the user has an active session A randomly generated password is now used for each test run. +DNS rebinding vulnerability when ``DEBUG=True`` +=============================================== + +Older versions of Django don't validate the ``Host`` header against +``settings.ALLOWED_HOSTS`` when ``settings.DEBUG=True``. This makes them +vulnerable to a `DNS rebinding attack +<http://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/>`_. + +While Django doesn't ship a module that allows remote code execution, this is +at least a cross-site scripting vector, which could be quite serious if +developers load a copy of the production database in development or connect to +some production services for which there's no development instance, for +example. If a project uses a package like the ``django-debug-toolbar``, then +the attacker could execute arbitrary SQL, which could be especially bad if the +developers connect to the database with a superuser account. + +``settings.ALLOWED_HOSTS`` is now validated regardless of ``DEBUG``. For +convenience, if ``ALLOWED_HOSTS`` is empty and ``DEBUG=True``, the following +variations of localhost are allowed ``['localhost', '127.0.0.1', '::1']``. If +your local settings file has your production ``ALLOWED_HOSTS`` value, you must +now omit it to get those fallback values. + Bugfixes ======== diff --git a/docs/releases/1.8.16.txt b/docs/releases/1.8.16.txt index aa5d9cccea..9cd82d8d7a 100644 --- a/docs/releases/1.8.16.txt +++ b/docs/releases/1.8.16.txt @@ -19,3 +19,25 @@ the ``manage.py test --keepdb`` option or if the user has an active session (such as an attacker's connection). A randomly generated password is now used for each test run. + +DNS rebinding vulnerability when ``DEBUG=True`` +=============================================== + +Older versions of Django don't validate the ``Host`` header against +``settings.ALLOWED_HOSTS`` when ``settings.DEBUG=True``. This makes them +vulnerable to a `DNS rebinding attack +<http://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/>`_. + +While Django doesn't ship a module that allows remote code execution, this is +at least a cross-site scripting vector, which could be quite serious if +developers load a copy of the production database in development or connect to +some production services for which there's no development instance, for +example. If a project uses a package like the ``django-debug-toolbar``, then +the attacker could execute arbitrary SQL, which could be especially bad if the +developers connect to the database with a superuser account. + +``settings.ALLOWED_HOSTS`` is now validated regardless of ``DEBUG``. For +convenience, if ``ALLOWED_HOSTS`` is empty and ``DEBUG=True``, the following +variations of localhost are allowed ``['localhost', '127.0.0.1', '::1']``. If +your local settings file has your production ``ALLOWED_HOSTS`` value, you must +now omit it to get those fallback values. diff --git a/docs/releases/1.9.11.txt b/docs/releases/1.9.11.txt index 3c29187e86..4a7b3ba086 100644 --- a/docs/releases/1.9.11.txt +++ b/docs/releases/1.9.11.txt @@ -19,3 +19,25 @@ the ``manage.py test --keepdb`` option or if the user has an active session (such as an attacker's connection). A randomly generated password is now used for each test run. + +DNS rebinding vulnerability when ``DEBUG=True`` +=============================================== + +Older versions of Django don't validate the ``Host`` header against +``settings.ALLOWED_HOSTS`` when ``settings.DEBUG=True``. This makes them +vulnerable to a `DNS rebinding attack +<http://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/>`_. + +While Django doesn't ship a module that allows remote code execution, this is +at least a cross-site scripting vector, which could be quite serious if +developers load a copy of the production database in development or connect to +some production services for which there's no development instance, for +example. If a project uses a package like the ``django-debug-toolbar``, then +the attacker could execute arbitrary SQL, which could be especially bad if the +developers connect to the database with a superuser account. + +``settings.ALLOWED_HOSTS`` is now validated regardless of ``DEBUG``. For +convenience, if ``ALLOWED_HOSTS`` is empty and ``DEBUG=True``, the following +variations of localhost are allowed ``['localhost', '127.0.0.1', '::1']``. If +your local settings file has your production ``ALLOWED_HOSTS`` value, you must +now omit it to get those fallback values. |
