BryanDavis has uploaded a new change for review. https://gerrit.wikimedia.org/r/301904
Change subject: Set ALLOWED_HOSTS to ['*'] by default ...................................................................... Set ALLOWED_HOSTS to ['*'] by default Set Django's ALLOWED_HOSTS setting to ['*'] by default. This effectively disables the internal Django Host header validation mechanism even when DEBUG is false. Usage in this form should only be considered safe in a production environment if an HTTP proxy is between the end user and the app and that proxy is only routing specific Host values to the app. This should always be the case in Wikimedia Labs and production environments where nginx and/or varnish will be used in front of the application. For extra protection, production deployments are encouraged to set a more restrictive ALLOWED_HOSTS value in the locally deployed /etc/striker/striker.ini configuration file. Change-Id: Ifc1952ffc1ea23d5c156b468c76d64e2d76ac290 --- M striker/settings.py M striker/striker.ini 2 files changed, 9 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/labs/striker refs/changes/04/301904/1 diff --git a/striker/settings.py b/striker/settings.py index 2d9ab60..e0cf442 100644 --- a/striker/settings.py +++ b/striker/settings.py @@ -89,7 +89,7 @@ # == Django settings == SECRET_KEY = ini.get('secrets', 'SECRET_KEY') DEBUG = ini.getboolean('debug', 'DEBUG') -ALLOWED_HOSTS = [] +ALLOWED_HOSTS = ini.get('hosts', 'ALLOWED_HOSTS').split() INSTALLED_APPS = ( 'bootstrap3', diff --git a/striker/striker.ini b/striker/striker.ini index 00f071c..5ef944c 100644 --- a/striker/striker.ini +++ b/striker/striker.ini @@ -88,3 +88,11 @@ # TTL (in seconds) for a "remember me" login session # Default given here is 14 days REMEMBER_ME_TTL = 1209600 + +[hosts] +# Space separated list of FQDNs and partial hostnames to consider valid. +# The default "*" matches any hostname and is considered insecure for +# production usage due to potential CSRF issues unless a validating proxy +# (e.g. nginx, varnish) is between the application and the client to block +# Host: header manipulation attacks. +ALLOWED_HOSTS = * -- To view, visit https://gerrit.wikimedia.org/r/301904 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ifc1952ffc1ea23d5c156b468c76d64e2d76ac290 Gerrit-PatchSet: 1 Gerrit-Project: labs/striker Gerrit-Branch: master Gerrit-Owner: BryanDavis <bda...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits