[1.8.x] Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True.

This is a security fix.
author: Tim Graham <timograham@gmail.com> 2016-10-17 12:14:49 -0400
committer: Tim Graham <timograham@gmail.com> 2016-10-25 15:27:45 -0400
commit: c401ae9a7dfb1a94a8a61927ed541d6f93089587 (patch)
tree: 6f1b7aaeba7302b6789736e32dd2b797028d64db /docs/ref/settings.txt
parent: 70f99952965a430daf69eeb9947079aae535d2d0 (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 382ce2edfc..d6f6e7c937 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -108,14 +108,18 @@ If the ``Host`` header (or ``X-Forwarded-Host`` if
 list, the :meth:`django.http.HttpRequest.get_host()` method will raise
 :exc:`~django.core.exceptions.SuspiciousOperation`.
 
-When :setting:`DEBUG` is ``True`` or when running tests, host validation is
-disabled; any host will be accepted. Thus it's usually only necessary to set it
-in production.
+When :setting:`DEBUG` is ``True`` and ``ALLOWED_HOSTS`` is empty, the host
+is validated against ``['localhost', '127.0.0.1', '[::1]']``.
 
 This validation only applies via :meth:`~django.http.HttpRequest.get_host()`;
 if your code accesses the ``Host`` header directly from ``request.META`` you
 are bypassing this security protection.
 
+.. versionchanged:: 1.8.16
+
+    In older versions, ``ALLOWED_HOSTS`` wasn't checked if ``DEBUG=True``, but
+    it's now checked to prevent a DNS rebinding attack.
+
 .. setting:: ALLOWED_INCLUDE_ROOTS
 
 ALLOWED_INCLUDE_ROOTS
author	Tim Graham <timograham@gmail.com>	2016-10-17 12:14:49 -0400
committer	Tim Graham <timograham@gmail.com>	2016-10-25 15:27:45 -0400
commit	c401ae9a7dfb1a94a8a61927ed541d6f93089587 (patch)
tree	6f1b7aaeba7302b6789736e32dd2b797028d64db /docs/ref/settings.txt
parent	70f99952965a430daf69eeb9947079aae535d2d0 (diff)