diff options
| author | brian avery <avery.brian@gmail.com> | 2016-11-23 10:55:20 -0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-11-28 14:23:48 +0000 |
| commit | ae9b341ecfcc60e970f29cfe04306411ad26c0cf (patch) | |
| tree | ada9407cc05c075e2ee30931b4fe420ea868d702 | |
| parent | 3bf928a3b6354bc09c87fcbf9e3972c8d368aaa3 (diff) | |
| download | poky-ae9b341ecfcc60e970f29cfe04306411ad26c0cf.tar.gz | |
bitbake: bitbake: toaster: settings set ALLOWED_HOSTS to * in debug mode
This is a backport of 7c3a47ed8965c3a3eb90a9a4678d5caedbba6337
>From the commit to master:
As of Django 1.8.16, Django is rejecting any HTTP_HOST header that is
not on the ALLOWED_HOST list. We often need to reference the toaster
server via a fqdn, if we start it via webport=0.0.0.0:8000 for instance,
and are hitting the server from a laptop. This change does reduce the
protection from a DNS rebinding attack, however, if you are running the
toaster server outside a protected network, you should be using the
production instance.
[YOCTO #10586]
(Bitbake rev: 449dc9b955dfbe048e380f5ab9fd61c3d1489dad)
Signed-off-by: brian avery <brian.avery@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | bitbake/lib/toaster/toastermain/settings.py | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/bitbake/lib/toaster/toastermain/settings.py b/bitbake/lib/toaster/toastermain/settings.py index 74ab60462b..6572acc696 100644 --- a/bitbake/lib/toaster/toastermain/settings.py +++ b/bitbake/lib/toaster/toastermain/settings.py | |||
| @@ -107,9 +107,19 @@ def getDATABASE_URL(): | |||
| 107 | 107 | ||
| 108 | 108 | ||
| 109 | 109 | ||
| 110 | # Hosts/domain names that are valid for this site; required if DEBUG is False | 110 | # Update as of django 1.8.16 release, the '*' is needed to allow us to connect while running |
| 111 | # See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts | 111 | # on hosts without explicitly setting the fqdn for the toaster server. |
| 112 | ALLOWED_HOSTS = [] | 112 | # See https://docs.djangoproject.com/en/dev/ref/settings/ for info on ALLOWED_HOSTS |
| 113 | # Previously this setting was not enforced if DEBUG was set but it is now. | ||
| 114 | # The previous behavior was such that ALLOWED_HOSTS defaulted to ['localhost','127.0.0.1','::1'] | ||
| 115 | # and if you bound to 0.0.0.0:<port #> then accessing toaster as localhost or fqdn would both work. | ||
| 116 | # To have that same behavior, with a fqdn explicitly enabled you would set | ||
| 117 | # ALLOWED_HOSTS= ['localhost','127.0.0.1','::1','myserver.mycompany.com'] for | ||
| 118 | # Django >= 1.8.16. By default, we are not enforcing this restriction in | ||
| 119 | # DEBUG mode. | ||
| 120 | if DEBUG is True: | ||
| 121 | # this will allow connection via localhost,hostname, or fqdn | ||
| 122 | ALLOWED_HOSTS = ['*'] | ||
| 113 | 123 | ||
| 114 | # Local time zone for this installation. Choices can be found here: | 124 | # Local time zone for this installation. Choices can be found here: |
| 115 | # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name | 125 | # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name |