From 7fe2d8d940fdddd1a02c4754008a27060c4a03e9 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Mon, 17 Oct 2016 12:14:49 -0400 Subject: Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True. This is a security fix. --- docs/ref/settings.txt | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'docs/ref') diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 494988cc62..756b7bae91 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -90,8 +90,10 @@ If the ``Host`` header (or ``X-Forwarded-Host`` if list, the :meth:`django.http.HttpRequest.get_host()` method will raise :exc:`~django.core.exceptions.SuspiciousOperation`. -When :setting:`DEBUG` is ``True``, host validation is disabled; any host will -be accepted. ``ALLOWED_HOSTS`` is :ref:`checked when running tests +When :setting:`DEBUG` is ``True`` and ``ALLOWED_HOSTS`` is empty, the host +is validated against ``['localhost', '127.0.0.1', '[::1]']``. + +``ALLOWED_HOSTS`` is also :ref:`checked when running tests `. This validation only applies via :meth:`~django.http.HttpRequest.get_host()`; @@ -102,6 +104,10 @@ are bypassing this security protection. In older versions, ``ALLOWED_HOSTS`` wasn't checked when running tests. + In older versions, ``ALLOWED_HOSTS`` wasn't checked if ``DEBUG=True``. + This was also changed in Django 1.10.3, 1.9.11, and 1.8.16 to prevent a + DNS rebinding attack. + .. setting:: APPEND_SLASH ``APPEND_SLASH`` -- cgit v1.3