On Wed, Jan 26, 2011 at 6:18 PM, Jari Pennanen <jari.penna...@gmail.com> wrote: > On Jan 26, 6:56 pm, FeatherDark <msensei...@gmail.com> wrote: >> Greetings huge django developer list, >> I just wanted to mention, this method totally works for me, I call it >> "Skinning" >> >> In the templates folder I have a file called "base.html' >> Inside that file is only 1 line: >> {% extends request.META.HTTP_HOST|cut:':'|add:'.html'%} > > request.META.HTTP_HOST is coming from Client. "Trust but verify", you > are not verifying this. It could pose a security risk. One could send > a request with malicious Host header and make the site retrieve > different template. This is not a serious issue, since you probably > don't have templates that would wreak havoc. > > Why don't you create own template context processor that would add the > verified HTTP_HOST to template context? Then you could do just > > {% extend MY_VERIFIED_HTTP_HOST %} > > See: > http://docs.djangoproject.com/en/dev/ref/request-response/#django.http.HttpRequest.META > http://docs.djangoproject.com/en/dev/ref/templates/api/#writing-your-own-context-processors >
request.META['HTTP_HOST'] is also the primary mechanism for determining which website to serve when doing virtual hosting, IE if you use apache and your site is hosted in a structure like: NameVirtualHost *:80 <VirtualHost *:80> ServerName www.foo.com ServerAlias *.foo.com *.bar.com *.quuz.com .... </VirtualHost> Then that variable already is being verified. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.