[MediaWiki-commits] [Gerrit] labs/striker[master]: Set ALLOWED_HOSTS to ['*'] by default

Fri, 29 Jul 2016 16:20:05 -0700 

BryanDavis has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/301904

Change subject: Set ALLOWED_HOSTS to ['*'] by default
......................................................................

Set ALLOWED_HOSTS to ['*'] by default

Set Django's ALLOWED_HOSTS setting to ['*'] by default. This effectively
disables the internal Django Host header validation mechanism even when
DEBUG is false. Usage in this form should only be considered safe in
a production environment if an HTTP proxy is between the end user and
the app and that proxy is only routing specific Host values to the app.
This should always be the case in Wikimedia Labs and production
environments where nginx and/or varnish will be used in front of the
application.

For extra protection, production deployments are encouraged to set
a more restrictive ALLOWED_HOSTS value in the locally deployed
/etc/striker/striker.ini configuration file.

Change-Id: Ifc1952ffc1ea23d5c156b468c76d64e2d76ac290
---
M striker/settings.py
M striker/striker.ini
2 files changed, 9 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/labs/striker 
refs/changes/04/301904/1

diff --git a/striker/settings.py b/striker/settings.py
index 2d9ab60..e0cf442 100644
--- a/striker/settings.py
+++ b/striker/settings.py
@@ -89,7 +89,7 @@
 # == Django settings ==
 SECRET_KEY = ini.get('secrets', 'SECRET_KEY')
 DEBUG = ini.getboolean('debug', 'DEBUG')
-ALLOWED_HOSTS = []
+ALLOWED_HOSTS = ini.get('hosts', 'ALLOWED_HOSTS').split()
 
 INSTALLED_APPS = (
     'bootstrap3',
diff --git a/striker/striker.ini b/striker/striker.ini
index 00f071c..5ef944c 100644
--- a/striker/striker.ini
+++ b/striker/striker.ini
@@ -88,3 +88,11 @@
 # TTL (in seconds) for a "remember me" login session
 # Default given here is 14 days
 REMEMBER_ME_TTL = 1209600
+
+[hosts]
+# Space separated list of FQDNs and partial hostnames to consider valid.
+# The default "*" matches any hostname and is considered insecure for
+# production usage due to potential CSRF issues unless a validating proxy
+# (e.g. nginx, varnish) is between the application and the client to block
+# Host: header manipulation attacks.
+ALLOWED_HOSTS = *

-- 
To view, visit https://gerrit.wikimedia.org/r/301904
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ifc1952ffc1ea23d5c156b468c76d64e2d76ac290
Gerrit-PatchSet: 1
Gerrit-Project: labs/striker
Gerrit-Branch: master
Gerrit-Owner: BryanDavis <bda...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to