Address ALLOWED_HOSTS changes.
Review Request #4600 — Created Sept. 20, 2013 and submitted — Latest diff uploaded
Address ALLOWED_HOSTS changes.
In Django 1.5, it's required to set ALLOWED_HOSTS in the settings. Previously,
this had defaulted to ['*'], which performed no host validation (and
potentially allowed host poisoning attacks).I've added a default of ['*'] to settings.py, which is expected to be
overridden by settings_local.py. For new installations, rb-site will set this
to the domain name entered during installation. There's not a fantastic way to
deal with this for upgrades. rb-site upgrade can modify settings_local.py, but
it doesn't have the domain name.I think what we'll do is mostly documentation, with a three-fold approach: * Include instructions in the release notes. * Create a "security practices" document in the admin manual, bringing together
content from various existing documents/faqs/etc, and include ALLOWED_HOSTS
in this as well. * Build a page in the admin site that can do automated security checks and make
recommendations to the user.
- Ran with DEBUG=False against Django 1.5.4 and verified that the default
setting worked correctly. - Built an egg and installed it into a virtualenv. Created a site with rb-site
and checked that settings_local.py contained a correct ALLOWED_HOSTS.