Address ALLOWED_HOSTS changes.

Review Request #4600 — Created Sept. 20, 2013 and submitted — Latest diff uploaded

Information

Review Board
master

Reviewers

Address ALLOWED_HOSTS changes.

In Django 1.5, it's required to set ALLOWED_HOSTS in the settings. Previously,
this had defaulted to ['*'], which performed no host validation (and
potentially allowed host poisoning attacks).

I've added a default of ['*'] to settings.py, which is expected to be
overridden by settings_local.py. For new installations, rb-site will set this
to the domain name entered during installation. There's not a fantastic way to
deal with this for upgrades. rb-site upgrade can modify settings_local.py, but
it doesn't have the domain name.

I think what we'll do is mostly documentation, with a three-fold approach: * Include instructions in the release notes. * Create a "security practices" document in the admin manual, bringing together
content from various existing documents/faqs/etc, and include ALLOWED_HOSTS
in this as well. * Build a page in the admin site that can do automated security checks and make
recommendations to the user.

  • Ran with DEBUG=False against Django 1.5.4 and verified that the default
    setting worked correctly.
  • Built an egg and installed it into a virtualenv. Created a site with rb-site
    and checked that settings_local.py contained a correct ALLOWED_HOSTS.