[bitbake-devel] [PATCH][master/morty/1.32] toaster: settings set ALLOWED_HOSTS to * in debug mode
Brian Avery
avery.brian at gmail.com
Mon Nov 14 21:08:54 UTC 2016
bump.
-brian
an intel employee
On Fri, Nov 4, 2016 at 5:30 AM, Michael Wood <michael.g.wood at intel.com>
wrote:
> On 04/11/16 12:27, Michael Wood wrote:
>
>> From: brian avery <brian.avery at intel.com>
>>
>> As of Django 1.8.16, Django is rejecting any HTTP_HOST header that is
>> not on the ALLOWED_HOST list. We often need to reference the
>> toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for
>> instance, and are hitting the server from a laptop. This change does
>> reduce the protection from a DNS rebinding attack, however, if you are
>> running the toaster server outside a protected network, you should be
>> using the production instance.
>>
>> [YOCTO #10578]
>>
>> Signed-off-by: brian avery <brian.avery at intel.com>
>> Signed-off-by: Michael Wood <michael.g.wood at intel.com>
>> ---
>> lib/toaster/toastermain/settings.py | 16 +++++++++++++---
>> 1 file changed, 13 insertions(+), 3 deletions(-)
>>
>> diff --git a/lib/toaster/toastermain/settings.py
>> b/lib/toaster/toastermain/settings.py
>> index 3dfa2b2..aec9dbb 100644
>> --- a/lib/toaster/toastermain/settings.py
>> +++ b/lib/toaster/toastermain/settings.py
>> @@ -60,9 +60,19 @@ DATABASES = {
>> if 'sqlite' in DATABASES['default']['ENGINE']:
>> DATABASES['default']['OPTIONS'] = { 'timeout': 20 }
>> -# Hosts/domain names that are valid for this site; required if DEBUG
>> is False
>> -# See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts
>> -ALLOWED_HOSTS = []
>> +# Update as of django 1.8.16 release, the '*' is needed to allow us to
>> connect while running
>> +# on hosts without explicitly setting the fqdn for the toaster server.
>> +# See https://docs.djangoproject.com/en/dev/ref/settings/ for info on
>> ALLOWED_HOSTS
>> +# Previously this setting was not enforced if DEBUG was set but it is
>> now.
>> +# The previous behavior was such that ALLOWED_HOSTS defaulted to
>> ['localhost','127.0.0.1','::1']
>> +# and if you bound to 0.0.0.0:<port #> then accessing toaster as
>> localhost or fqdn would both work.
>> +# To have that same behavior, with a fqdn explicitly enabled you would
>> set
>> +# ALLOWED_HOSTS= ['localhost','127.0.0.1','::1','myserver.mycompany.com']
>> for
>> +# Django >= 1.8.16. By default, we are not enforcing this restriction in
>> +# DEBUG mode.
>> +if DEBUG is True:
>> + # this will allow connection via localhost,hostname, or fqdn
>> + ALLOWED_HOSTS = ['*']
>> # Local time zone for this installation. Choices can be found here:
>> # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
>>
>
> Should also say that this is needed for backport because the requirements
> for django was effectively also added as a backported to the version we are
> currently using i.e Django>1.8,<1.9
>
> More info in Brian's cover letter on the toaster mailing list.
>
> https://lists.yoctoproject.org/pipermail/toaster/2016-November/005300.html
>
> Michael
>
>
> --
> _______________________________________________
> bitbake-devel mailing list
> bitbake-devel at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/bitbake-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/bitbake-devel/attachments/20161114/03ab24f8/attachment-0002.html>
More information about the bitbake-devel
mailing list