[1/1] toaster: settings.py , add * to ALLOWED_HOSTS

Submitted by Avery, Brian on Nov. 2, 2016, 12:03 a.m. | Patch ID: 133498

Details

Message ID 8cd5feae0d1456cdf2114a41b7c8a30bbbb0566f.1478044908.git.brian.avery@intel.com
State New
Headers show

Commit Message

Avery, Brian Nov. 2, 2016, 12:03 a.m.
As of Django 1.8.16, django is rejecting any HTTP_HOST header that is
not on the ALLOWED_HOST list.  We often need to reference the
toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for
instance, and are hitting the server from a laptop. This change does
reduce  the protection from a DNS rebinding attack, however, if you are
running the toaster server outside a protected network, you need to be
using the production instance.

Fixes [YOCTO #10578 ].

Signed-off-by: brian avery <brian.avery@intel.com>
---
 lib/toaster/toastermain/settings.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/lib/toaster/toastermain/settings.py b/lib/toaster/toastermain/settings.py
index 3dfa2b2..718e809 100644
--- a/lib/toaster/toastermain/settings.py
+++ b/lib/toaster/toastermain/settings.py
@@ -62,7 +62,9 @@  if 'sqlite' in DATABASES['default']['ENGINE']:
 
 # Hosts/domain names that are valid for this site; required if DEBUG is False
 # See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts
-ALLOWED_HOSTS = []
+# update as of django 1.8.16 release, the '*' is needed to allow us to connect while running
+# on hosts with unknown fqdn. https://docs.djangoproject.com/en/dev/ref/settings/
+ALLOWED_HOSTS = ['localhost','127.0.0.1','::1','*']
 
 # Local time zone for this installation. Choices can be found here:
 # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name

Comments

Michael Wood Nov. 2, 2016, 12:46 p.m.
On 02/11/16 00:03, brian avery wrote:
> As of Django 1.8.16, django is rejecting any HTTP_HOST header that is
> not on the ALLOWED_HOST list.  We often need to reference the
> toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for
> instance, and are hitting the server from a laptop. This change does
> reduce  the protection from a DNS rebinding attack, however, if you are
> running the toaster server outside a protected network, you need to be
> using the production instance.
>
> Fixes [YOCTO #10578 ].
>
> Signed-off-by: brian avery <brian.avery@intel.com>
> ---
>   lib/toaster/toastermain/settings.py | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/lib/toaster/toastermain/settings.py b/lib/toaster/toastermain/settings.py
> index 3dfa2b2..718e809 100644
> --- a/lib/toaster/toastermain/settings.py
> +++ b/lib/toaster/toastermain/settings.py
> @@ -62,7 +62,9 @@ if 'sqlite' in DATABASES['default']['ENGINE']:
>   
>   # Hosts/domain names that are valid for this site; required if DEBUG is False
>   # See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts
> -ALLOWED_HOSTS = []
> +# update as of django 1.8.16 release, the '*' is needed to allow us to connect while running
> +# on hosts with unknown fqdn. https://docs.djangoproject.com/en/dev/ref/settings/
> +ALLOWED_HOSTS = ['localhost','127.0.0.1','::1','*']

This is an odd way to express the ALLOWED_HOSTS, you've specified 3 
allowed ones and then said, "aannnd everything!" this could easily be 
missed by anyone using the default configuration. I think it would be 
better either to restore the old behaviour by doing:

if DEBUG is True:
     ALLOWED_HOSTS = [ '*' ]

or by being smarter and inspecting the value of the environment variable 
ADDR_PORT and appending a best value for ALLOWED_HOSTS.

I've opened a bug to provide an example production environment settings 
file which will help with this sort of problem. 
https://bugzilla.yoctoproject.org/show_bug.cgi?id=10581

>   
>   # Local time zone for this installation. Choices can be found here:
>   # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
brian avery Nov. 2, 2016, 2:52 p.m.
Hi,

On Wed, Nov 2, 2016 at 5:46 AM, Michael Wood <michael.g.wood@intel.com>
wrote:

> On 02/11/16 00:03, brian avery wrote:
>
>> As of Django 1.8.16, django is rejecting any HTTP_HOST header that is
>> not on the ALLOWED_HOST list.  We often need to reference the
>> toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for
>> instance, and are hitting the server from a laptop. This change does
>> reduce  the protection from a DNS rebinding attack, however, if you are
>> running the toaster server outside a protected network, you need to be
>> using the production instance.
>>
>> Fixes [YOCTO #10578 ].
>>
>> Signed-off-by: brian avery <brian.avery@intel.com>
>> ---
>>   lib/toaster/toastermain/settings.py | 4 +++-
>>   1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/lib/toaster/toastermain/settings.py
>> b/lib/toaster/toastermain/settings.py
>> index 3dfa2b2..718e809 100644
>> --- a/lib/toaster/toastermain/settings.py
>> +++ b/lib/toaster/toastermain/settings.py
>> @@ -62,7 +62,9 @@ if 'sqlite' in DATABASES['default']['ENGINE']:
>>     # Hosts/domain names that are valid for this site; required if DEBUG
>> is False
>>   # See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts
>> -ALLOWED_HOSTS = []
>> +# update as of django 1.8.16 release, the '*' is needed to allow us to
>> connect while running
>> +# on hosts with unknown fqdn. https://docs.djangoproject.com
>> /en/dev/ref/settings/
>> +ALLOWED_HOSTS = ['localhost','127.0.0.1','::1','*']
>>
>
> This is an odd way to express the ALLOWED_HOSTS, you've specified 3
> allowed ones and then said, "aannnd everything!" this could easily be
> missed by anyone using the default configuration. I think it would be
> better either to restore the old behaviour by doing:
>
> if DEBUG is True:
>     ALLOWED_HOSTS = [ '*' ]
>

I don't mind the if DEBUG part.
The value   ['localhost','127.0.0.1','::1'] is what we are currently
getting by setting

>     ALLOWED_HOSTS = [ ]
>
so I wanted to
1) make it clear what the old default was
2) provide a place to replace '*' with 'cow.intel.com' and have the system
still work.  If I do

>     ALLOWED_HOSTS = [ 'cow.intel.com'], then std usage aka
> http://localhost:8000 would break
>

if I do
ALLOWED_HOSTS = ['localhost','127.0.0.1','::1','cow.intel.com']
then it will work as I would expect.


> or by being smarter and inspecting the value of the environment variable
> ADDR_PORT and appending a best value for ALLOWED_HOSTS.
>
> I've opened a bug to provide an example production environment settings
> file which will help with this sort of problem.
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=10581


Well,  we already have a production setup and generally this is handled at
the nginx layer so that the django server doesn't even see it.

-b

>
>
>     # Local time zone for this installation. Choices can be found here:
>>   # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
>>
>
>
> --
> _______________________________________________
> toaster mailing list
> toaster@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/toaster
>