Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True.

This is a security fix.
author: Tim Graham <timograham@gmail.com> 2016-10-17 12:14:49 -0400
committer: Tim Graham <timograham@gmail.com> 2016-11-01 09:30:57 -0400
commit: 7fe2d8d940fdddd1a02c4754008a27060c4a03e9 (patch)
tree: a688aff3e3a2f9f53729b60aa40098c4b9981e9f /docs/ref/settings.txt
parent: da7910d4834726eca596af0a830762fa5fb2dfd9 (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 494988cc62..756b7bae91 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -90,8 +90,10 @@ If the ``Host`` header (or ``X-Forwarded-Host`` if
 list, the :meth:`django.http.HttpRequest.get_host()` method will raise
 :exc:`~django.core.exceptions.SuspiciousOperation`.
 
-When :setting:`DEBUG` is ``True``, host validation is disabled; any host will
-be accepted. ``ALLOWED_HOSTS`` is :ref:`checked when running tests
+When :setting:`DEBUG` is ``True`` and ``ALLOWED_HOSTS`` is empty, the host
+is validated against ``['localhost', '127.0.0.1', '[::1]']``.
+
+``ALLOWED_HOSTS`` is also :ref:`checked when running tests
 <topics-testing-advanced-multiple-hosts>`.
 
 This validation only applies via :meth:`~django.http.HttpRequest.get_host()`;
@@ -102,6 +104,10 @@ are bypassing this security protection.
 
     In older versions, ``ALLOWED_HOSTS`` wasn't checked when running tests.
 
+    In older versions, ``ALLOWED_HOSTS`` wasn't checked if ``DEBUG=True``.
+    This was also changed in Django 1.10.3, 1.9.11, and 1.8.16 to prevent a
+    DNS rebinding attack.
+
 .. setting:: APPEND_SLASH
 
 ``APPEND_SLASH``
author	Tim Graham <timograham@gmail.com>	2016-10-17 12:14:49 -0400
committer	Tim Graham <timograham@gmail.com>	2016-11-01 09:30:57 -0400
commit	7fe2d8d940fdddd1a02c4754008a27060c4a03e9 (patch)
tree	a688aff3e3a2f9f53729b60aa40098c4b9981e9f /docs/ref/settings.txt
parent	da7910d4834726eca596af0a830762fa5fb2dfd9 (diff)