Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed #26419 -- Rephrased a sentence in ALLOWED_HOSTS docs. #6357

Closed
wants to merge 3 commits into from
Closed

Fixed #26419 -- Rephrased a sentence in ALLOWED_HOSTS docs. #6357

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b29a783
Clarify ALLOWED_HOSTS Purpose; Ticket #26419
jtpereyda Mar 29, 2016
3681a31
Clarify ALLOWED_HOSTS purpose; review updates
jtpereyda Apr 3, 2016
6e95a93
ALLOWED_HOSTS further reword explanation
jtpereyda Apr 3, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 4 additions & 3 deletions docs/ref/settings.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,9 +65,10 @@ See :doc:`/howto/error-reporting` for more information.
Default: ``[]`` (Empty list)

A list of strings representing the host/domain names that this Django site can
serve. This is a security measure to prevent an attacker from poisoning caches
and triggering password reset emails with links to malicious hosts by submitting
requests with a fake HTTP ``Host`` header, which is possible even under many
serve. This is a security measure to prevent HTTP Host header attacks, in which
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could add a link to the discussion in docs/topics/security.txt:

:ref:`HTTP Host header attacks <host-headers-virtual-hosting>`

Also, I think a comma isn't needed before "in which".

an attacker uses malicious HTTP Host header values to inject code, trigger
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure what "inject code" is referring to.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Injection: https://en.wikipedia.org/wiki/Code_injection
As described here, host header attacks can be used to inject code into a password reset email.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I elected to remove that explanation, as the page that is now linked to has an explanation already.

password reset emails, etc. HTTP Host header attacks can exploit the behavior
of web applications, web servers, and web caches, even under many
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not too sure about this sentence. Maybe "HTTP Host header attacks are possible even under many...." would be enough?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good.

seemingly-safe web server configurations.

Values in this list can be fully qualified names (e.g. ``'www.example.com'``),
Expand Down