[bitbake-devel] [PATCH][master/morty/1.32] toaster: settings set ALLOWED_HOSTS to * in debug mode

Michael Wood michael.g.wood at intel.com
Fri Nov 4 12:30:26 UTC 2016 

On 04/11/16 12:27, Michael Wood wrote:
> From: brian avery <brian.avery at intel.com>
>
> As of Django 1.8.16, Django is rejecting any HTTP_HOST header that is
> not on the ALLOWED_HOST list.  We often need to reference the
> toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for
> instance, and are hitting the server from a laptop. This change does
> reduce  the protection from a DNS rebinding attack, however, if you are
> running the toaster server outside a protected network, you should be
> using the production instance.
>
> [YOCTO #10578]
>
> Signed-off-by: brian avery <brian.avery at intel.com>
> Signed-off-by: Michael Wood <michael.g.wood at intel.com>
> ---
>   lib/toaster/toastermain/settings.py | 16 +++++++++++++---
>   1 file changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/lib/toaster/toastermain/settings.py b/lib/toaster/toastermain/settings.py
> index 3dfa2b2..aec9dbb 100644
> --- a/lib/toaster/toastermain/settings.py
> +++ b/lib/toaster/toastermain/settings.py
> @@ -60,9 +60,19 @@ DATABASES = {
>   if 'sqlite' in DATABASES['default']['ENGINE']:
>       DATABASES['default']['OPTIONS'] = { 'timeout': 20 }
>   
> -# Hosts/domain names that are valid for this site; required if DEBUG is False
> -# See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts
> -ALLOWED_HOSTS = []
> +# Update as of django 1.8.16 release, the '*' is needed to allow us to connect while running
> +# on hosts without explicitly setting the fqdn for the toaster server.
> +# See https://docs.djangoproject.com/en/dev/ref/settings/ for info on ALLOWED_HOSTS
> +# Previously this setting was not enforced if DEBUG was set but it is now.
> +# The previous behavior was such that ALLOWED_HOSTS defaulted to ['localhost','127.0.0.1','::1']
> +# and if you bound to 0.0.0.0:<port #> then accessing toaster as localhost or fqdn would both work.
> +# To have that same behavior, with a fqdn explicitly enabled you would set
> +# ALLOWED_HOSTS= ['localhost','127.0.0.1','::1','myserver.mycompany.com'] for
> +# Django >= 1.8.16. By default, we are not enforcing this restriction in
> +# DEBUG mode.
> +if DEBUG is True:
> +    # this will allow connection via localhost,hostname, or fqdn
> +    ALLOWED_HOSTS = ['*']
>   
>   # Local time zone for this installation. Choices can be found here:
>   # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name

Should also say that this is needed for backport because the 
requirements for django was effectively also added as a backported to 
the version we are currently using i.e Django>1.8,<1.9

More info in Brian's cover letter on the toaster mailing list.

https://lists.yoctoproject.org/pipermail/toaster/2016-November/005300.html

Michael

More information about the bitbake-devel mailing list