Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[1.4.x] Added ALLOWED_HOSTS setting for HTTP host header validation.
This is a security fix; disclosure and advisory coming shortly.
- Loading branch information
Showing
13 changed files
with
314 additions
and
175 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
========================== | ||
Django 1.4.4 release notes | ||
========================== | ||
|
||
*February 19, 2013* | ||
|
||
This is the fourth bugfix/security release in the Django 1.4 series. | ||
|
||
Host header poisoning | ||
--------------------- | ||
|
||
Some parts of Django -- independent of end-user-written applications -- make | ||
use of full URLs, including domain name, which are generated from the HTTP Host | ||
header. Django's documentation has for some time contained notes advising users | ||
on how to configure webservers to ensure that only valid Host headers can reach | ||
the Django application. However, it has been reported to us that even with the | ||
recommended webserver configurations there are still techniques available for | ||
tricking many common webservers into supplying the application with an | ||
incorrect and possibly malicious Host header. | ||
|
||
For this reason, Django 1.4.4 adds a new setting, ``ALLOWED_HOSTS``, containing | ||
an explicit list of valid host/domain names for this site. A request with a | ||
Host header not matching an entry in this list will raise | ||
``SuspiciousOperation`` if ``request.get_host()`` is called. For full details | ||
see the documentation for the :setting:`ALLOWED_HOSTS` setting. | ||
|
||
The default value for this setting in Django 1.4.4 is `['*']` (matching any | ||
host), for backwards-compatibility, but we strongly encourage all sites to set | ||
a more restrictive value. | ||
|
||
This host validation is disabled when ``DEBUG`` is ``True`` or when running tests. | ||
|
||
|
||
Other bugfixes and changes | ||
========================== | ||
|
||
* Changed a SQL command syntax to be MySQL 4 compatible (#19702). | ||
* Added backwards-compatibility with old unsalted MD5 passwords (#18144). | ||
* Numerous documentation improvements and fixes. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,6 +20,7 @@ Final releases | |
.. toctree:: | ||
:maxdepth: 1 | ||
|
||
1.4.4 | ||
1.4.2 | ||
1.4.1 | ||
1.4 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
9936fdb
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is very good!