Added a new required ALLOWED_HOSTS setting for HTTP host header validation.

This is a security fix; disclosure and advisory coming shortly.
author: Carl Meyer <carl@oddbird.net> 2013-02-09 10:17:01 -0700
committer: Carl Meyer <carl@oddbird.net> 2013-02-19 11:23:29 -0700
commit: d51fb74360b94f2a856573174f8aae3cd905dd35 (patch)
tree: c2d663edd49bfe6c09f8f492630f5dd344409ad6 /django/conf
parent: 1add79bc4007fee658f193b65aea2af2347aab6b (diff)
2 files changed, 8 insertions, 0 deletions
diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py
index 6a01493a72..659f2f42b7 100644
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@@ -29,6 +29,10 @@ ADMINS = ()
 #   * Receive x-headers
 INTERNAL_IPS = ()
 
+# Hosts/domain names that are valid for this site.
+# "*" matches anything, ".example.com" matches example.com and all subdomains
+ALLOWED_HOSTS = []
+
 # Local time zone for this installation. All choices can be found here:
 # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name (although not all
 # systems may support all possibilities). When USE_TZ is True, this is
diff --git a/django/conf/project_template/project_name/settings.py b/django/conf/project_template/project_name/settings.py
index 8815dc6bc0..d46f327922 100644
--- a/django/conf/project_template/project_name/settings.py
+++ b/django/conf/project_template/project_name/settings.py
@@ -25,6 +25,10 @@ DEBUG = True
 
 TEMPLATE_DEBUG = True
 
+# Hosts/domain names that are valid for this site; required if DEBUG is False
+# See https://docs.djangoproject.com/en/{{ docs_version }}/ref/settings/#allowed-hosts
+ALLOWED_HOSTS = []
+
 
 # Application definition
author	Carl Meyer <carl@oddbird.net>	2013-02-09 10:17:01 -0700
committer	Carl Meyer <carl@oddbird.net>	2013-02-19 11:23:29 -0700
commit	d51fb74360b94f2a856573174f8aae3cd905dd35 (patch)
tree	c2d663edd49bfe6c09f8f492630f5dd344409ad6 /django/conf
parent	1add79bc4007fee658f193b65aea2af2347aab6b (diff)