[oe-commits] [bitbake] branch master updated: toaster: settings set ALLOWED_HOSTS to * in debug mode

git at git.openembedded.org git at git.openembedded.org
Wed Nov 16 11:42:29 UTC 2016 

rpurdie pushed a commit to branch master
in repository bitbake.

The following commit(s) were added to refs/heads/master by this push:
       new  7f51149   toaster: settings set ALLOWED_HOSTS to * in debug mode
7f51149 is described below

commit 7f51149453c96a3f1da64ea85306518fd2b65f21
Author: brian avery <brian.avery at intel.com>
AuthorDate: Fri Nov 4 12:27:06 2016 +0000

    toaster: settings set ALLOWED_HOSTS to * in debug mode
    
    As of Django 1.8.16, Django is rejecting any HTTP_HOST header that is
    not on the ALLOWED_HOST list.  We often need to reference the
    toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for
    instance, and are hitting the server from a laptop. This change does
    reduce  the protection from a DNS rebinding attack, however, if you are
    running the toaster server outside a protected network, you should be
    using the production instance.
    
    [YOCTO #10578]
    
    Signed-off-by: brian avery <brian.avery at intel.com>
    Signed-off-by: Michael Wood <michael.g.wood at intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
 lib/toaster/toastermain/settings.py | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/lib/toaster/toastermain/settings.py b/lib/toaster/toastermain/settings.py
index 3dfa2b2..aec9dbb 100644
--- a/lib/toaster/toastermain/settings.py
+++ b/lib/toaster/toastermain/settings.py
@@ -60,9 +60,19 @@ DATABASES = {
 if 'sqlite' in DATABASES['default']['ENGINE']:
     DATABASES['default']['OPTIONS'] = { 'timeout': 20 }
 
-# Hosts/domain names that are valid for this site; required if DEBUG is False
-# See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts
-ALLOWED_HOSTS = []
+# Update as of django 1.8.16 release, the '*' is needed to allow us to connect while running
+# on hosts without explicitly setting the fqdn for the toaster server.
+# See https://docs.djangoproject.com/en/dev/ref/settings/ for info on ALLOWED_HOSTS
+# Previously this setting was not enforced if DEBUG was set but it is now.
+# The previous behavior was such that ALLOWED_HOSTS defaulted to ['localhost','127.0.0.1','::1']
+# and if you bound to 0.0.0.0:<port #> then accessing toaster as localhost or fqdn would both work.
+# To have that same behavior, with a fqdn explicitly enabled you would set
+# ALLOWED_HOSTS= ['localhost','127.0.0.1','::1','myserver.mycompany.com'] for
+# Django >= 1.8.16. By default, we are not enforcing this restriction in
+# DEBUG mode.
+if DEBUG is True:
+    # this will allow connection via localhost,hostname, or fqdn
+    ALLOWED_HOSTS = ['*']
 
 # Local time zone for this installation. Choices can be found here:
 # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list