On Tue, 2013-02-19 at 14:50 -0600, James Bennett wrote: > We've issued several security releases today. Details are in the blog post: > > https://www.djangoproject.com/weblog/2013/feb/19/security/ > > We recommend everyone carefully read this one, as it has an > end-user-visible change requiring action beyond simply upgrading your > Django package. >
I don't recall looking at the ALLOWED_HOSTS setting before. Now that I do, it seems rather problematic. In particular, that host verification is apparently turned off while DEBUG is True or while testing. Surely this makes it impossible to test, and makes it likely that misconfigurations will not be picked up until deployed to a production environment. Given that most setups require some customisation of settings for dev/staging/production/whatever environments anyway, why not leave the verification on at all times and allow us to ensure we get the right hosts in the right environments? What am I missing? Cheers, Nick -- Nick Phillips / +64 3 479 4195 / nick.phill...@otago.ac.nz # these statements are my own, not those of the University of Otago -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
