* [PATCH 0/1] toaster: add * to ALLOWED_HOSTS setting
@ 2016-11-02 0:03 brian avery
2016-11-02 0:03 ` [PATCH 1/1] toaster: settings.py , add * to ALLOWED_HOSTS brian avery
0 siblings, 1 reply; 4+ messages in thread
From: brian avery @ 2016-11-02 0:03 UTC (permalink / raw)
To: toaster; +Cc: brian avery
As of Django 1.8.16, django is rejecting any HTTP_HOST header that is
not on the ALLOWED_HOST list. We often need to reference the
toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for
instance, and are hitting the server from a laptop. This change does
reduce the protection from a DNS rebinding attack, however, if you are
running the toaster server outside a protected network, you need to be
using the production instance.
In particular, this prevents the toaster container tests from running as well
as the containers from working as is in the Windows Docker Toolbox case.
-brian
The following changes since commit c3d2df883a9d6d5036277114339673656d89a728:
oeqa/selftest/kernel.py: Add new file destined for kernel related tests (2016-11-01 10:05:46 +0000)
are available in the git repository at:
git://git.yoctoproject.org/poky-contrib bavery/toaster/fixALLOWED_HOSTexclusion
http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=bavery/toaster/fixALLOWED_HOSTexclusion
brian avery (1):
toaster: settings.py , add * to ALLOWED_HOSTS
lib/toaster/toastermain/settings.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--
1.9.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/1] toaster: settings.py , add * to ALLOWED_HOSTS
2016-11-02 0:03 [PATCH 0/1] toaster: add * to ALLOWED_HOSTS setting brian avery
@ 2016-11-02 0:03 ` brian avery
2016-11-02 12:46 ` Michael Wood
0 siblings, 1 reply; 4+ messages in thread
From: brian avery @ 2016-11-02 0:03 UTC (permalink / raw)
To: toaster; +Cc: brian avery
As of Django 1.8.16, django is rejecting any HTTP_HOST header that is
not on the ALLOWED_HOST list. We often need to reference the
toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for
instance, and are hitting the server from a laptop. This change does
reduce the protection from a DNS rebinding attack, however, if you are
running the toaster server outside a protected network, you need to be
using the production instance.
Fixes [YOCTO #10578 ].
Signed-off-by: brian avery <brian.avery@intel.com>
---
lib/toaster/toastermain/settings.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/toaster/toastermain/settings.py b/lib/toaster/toastermain/settings.py
index 3dfa2b2..718e809 100644
--- a/lib/toaster/toastermain/settings.py
+++ b/lib/toaster/toastermain/settings.py
@@ -62,7 +62,9 @@ if 'sqlite' in DATABASES['default']['ENGINE']:
# Hosts/domain names that are valid for this site; required if DEBUG is False
# See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts
-ALLOWED_HOSTS = []
+# update as of django 1.8.16 release, the '*' is needed to allow us to connect while running
+# on hosts with unknown fqdn. https://docs.djangoproject.com/en/dev/ref/settings/
+ALLOWED_HOSTS = ['localhost','127.0.0.1','::1','*']
# Local time zone for this installation. Choices can be found here:
# http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/1] toaster: settings.py , add * to ALLOWED_HOSTS
2016-11-02 0:03 ` [PATCH 1/1] toaster: settings.py , add * to ALLOWED_HOSTS brian avery
@ 2016-11-02 12:46 ` Michael Wood
2016-11-02 14:52 ` Brian Avery
0 siblings, 1 reply; 4+ messages in thread
From: Michael Wood @ 2016-11-02 12:46 UTC (permalink / raw)
To: toaster
On 02/11/16 00:03, brian avery wrote:
> As of Django 1.8.16, django is rejecting any HTTP_HOST header that is
> not on the ALLOWED_HOST list. We often need to reference the
> toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for
> instance, and are hitting the server from a laptop. This change does
> reduce the protection from a DNS rebinding attack, however, if you are
> running the toaster server outside a protected network, you need to be
> using the production instance.
>
> Fixes [YOCTO #10578 ].
>
> Signed-off-by: brian avery <brian.avery@intel.com>
> ---
> lib/toaster/toastermain/settings.py | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/lib/toaster/toastermain/settings.py b/lib/toaster/toastermain/settings.py
> index 3dfa2b2..718e809 100644
> --- a/lib/toaster/toastermain/settings.py
> +++ b/lib/toaster/toastermain/settings.py
> @@ -62,7 +62,9 @@ if 'sqlite' in DATABASES['default']['ENGINE']:
>
> # Hosts/domain names that are valid for this site; required if DEBUG is False
> # See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts
> -ALLOWED_HOSTS = []
> +# update as of django 1.8.16 release, the '*' is needed to allow us to connect while running
> +# on hosts with unknown fqdn. https://docs.djangoproject.com/en/dev/ref/settings/
> +ALLOWED_HOSTS = ['localhost','127.0.0.1','::1','*']
This is an odd way to express the ALLOWED_HOSTS, you've specified 3
allowed ones and then said, "aannnd everything!" this could easily be
missed by anyone using the default configuration. I think it would be
better either to restore the old behaviour by doing:
if DEBUG is True:
ALLOWED_HOSTS = [ '*' ]
or by being smarter and inspecting the value of the environment variable
ADDR_PORT and appending a best value for ALLOWED_HOSTS.
I've opened a bug to provide an example production environment settings
file which will help with this sort of problem.
https://bugzilla.yoctoproject.org/show_bug.cgi?id=10581
>
> # Local time zone for this installation. Choices can be found here:
> # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/1] toaster: settings.py , add * to ALLOWED_HOSTS
2016-11-02 12:46 ` Michael Wood
@ 2016-11-02 14:52 ` Brian Avery
0 siblings, 0 replies; 4+ messages in thread
From: Brian Avery @ 2016-11-02 14:52 UTC (permalink / raw)
To: Michael Wood; +Cc: toaster
[-- Attachment #1: Type: text/plain, Size: 3212 bytes --]
Hi,
On Wed, Nov 2, 2016 at 5:46 AM, Michael Wood <michael.g.wood@intel.com>
wrote:
> On 02/11/16 00:03, brian avery wrote:
>
>> As of Django 1.8.16, django is rejecting any HTTP_HOST header that is
>> not on the ALLOWED_HOST list. We often need to reference the
>> toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for
>> instance, and are hitting the server from a laptop. This change does
>> reduce the protection from a DNS rebinding attack, however, if you are
>> running the toaster server outside a protected network, you need to be
>> using the production instance.
>>
>> Fixes [YOCTO #10578 ].
>>
>> Signed-off-by: brian avery <brian.avery@intel.com>
>> ---
>> lib/toaster/toastermain/settings.py | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/lib/toaster/toastermain/settings.py
>> b/lib/toaster/toastermain/settings.py
>> index 3dfa2b2..718e809 100644
>> --- a/lib/toaster/toastermain/settings.py
>> +++ b/lib/toaster/toastermain/settings.py
>> @@ -62,7 +62,9 @@ if 'sqlite' in DATABASES['default']['ENGINE']:
>> # Hosts/domain names that are valid for this site; required if DEBUG
>> is False
>> # See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts
>> -ALLOWED_HOSTS = []
>> +# update as of django 1.8.16 release, the '*' is needed to allow us to
>> connect while running
>> +# on hosts with unknown fqdn. https://docs.djangoproject.com
>> /en/dev/ref/settings/
>> +ALLOWED_HOSTS = ['localhost','127.0.0.1','::1','*']
>>
>
> This is an odd way to express the ALLOWED_HOSTS, you've specified 3
> allowed ones and then said, "aannnd everything!" this could easily be
> missed by anyone using the default configuration. I think it would be
> better either to restore the old behaviour by doing:
>
> if DEBUG is True:
> ALLOWED_HOSTS = [ '*' ]
>
I don't mind the if DEBUG part.
The value ['localhost','127.0.0.1','::1'] is what we are currently
getting by setting
> ALLOWED_HOSTS = [ ]
>
so I wanted to
1) make it clear what the old default was
2) provide a place to replace '*' with 'cow.intel.com' and have the system
still work. If I do
> ALLOWED_HOSTS = [ 'cow.intel.com'], then std usage aka
> http://localhost:8000 would break
>
if I do
ALLOWED_HOSTS = ['localhost','127.0.0.1','::1','cow.intel.com']
then it will work as I would expect.
> or by being smarter and inspecting the value of the environment variable
> ADDR_PORT and appending a best value for ALLOWED_HOSTS.
>
> I've opened a bug to provide an example production environment settings
> file which will help with this sort of problem.
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=10581
Well, we already have a production setup and generally this is handled at
the nginx layer so that the django server doesn't even see it.
-b
>
>
> # Local time zone for this installation. Choices can be found here:
>> # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
>>
>
>
> --
> _______________________________________________
> toaster mailing list
> toaster@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/toaster
>
[-- Attachment #2: Type: text/html, Size: 5779 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-11-02 14:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-02 0:03 [PATCH 0/1] toaster: add * to ALLOWED_HOSTS setting brian avery
2016-11-02 0:03 ` [PATCH 1/1] toaster: settings.py , add * to ALLOWED_HOSTS brian avery
2016-11-02 12:46 ` Michael Wood
2016-11-02 14:52 ` Brian Avery
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).