On Wed, Jan 26, 2011 at 6:18 PM, Jari Pennanen <jari.penna...@gmail.com> wrote:
> On Jan 26, 6:56 pm, FeatherDark <msensei...@gmail.com> wrote:
>> Greetings huge django developer list,
>> I just wanted to mention, this method totally works for me, I call it
>> "Skinning"
>>
>> In the templates folder I have a file called "base.html'
>> Inside that file is only 1 line:
>> {% extends request.META.HTTP_HOST|cut:':'|add:'.html'%}
>
> request.META.HTTP_HOST is coming from Client. "Trust but verify", you
> are not verifying this. It could pose a security risk. One could send
> a request with malicious Host header and make the site retrieve
> different template. This is not a serious issue, since you probably
> don't have templates that would wreak havoc.
>
> Why don't you create own template context processor that would add the
> verified HTTP_HOST to template context? Then you could do just
>
> {% extend MY_VERIFIED_HTTP_HOST %}
>
> See:
> http://docs.djangoproject.com/en/dev/ref/request-response/#django.http.HttpRequest.META
> http://docs.djangoproject.com/en/dev/ref/templates/api/#writing-your-own-context-processors
>request.META['HTTP_HOST'] is also the primary mechanism for determining which website to serve when doing virtual hosting, IE if you use apache and your site is hosted in a structure like: NameVirtualHost *:80 <VirtualHost *:80> ServerName www.foo.com ServerAlias *.foo.com *.bar.com *.quuz.com .... </VirtualHost> Then that variable already is being verified. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
