diff options
author | brian avery <brian.avery@intel.com> | 2016-11-04 12:27:06 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-11-16 11:38:51 +0000 |
commit | 73454473d7c286c41ee697f74052fed03c79f9f5 (patch) | |
tree | 8a761b77b018dc4b9dc220c84a2038010484a495 /bitbake/lib | |
parent | ee6fb7521b0182ba8981eee72e1e295a099f3a48 (diff) | |
download | poky-73454473d7c286c41ee697f74052fed03c79f9f5.tar.gz |
bitbake: toaster: settings set ALLOWED_HOSTS to * in debug mode
As of Django 1.8.16, Django is rejecting any HTTP_HOST header that is
not on the ALLOWED_HOST list. We often need to reference the
toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for
instance, and are hitting the server from a laptop. This change does
reduce the protection from a DNS rebinding attack, however, if you are
running the toaster server outside a protected network, you should be
using the production instance.
[YOCTO #10578]
(Bitbake rev: 59a3f391ac5ac194f30d11a39676356464269d55)
Signed-off-by: brian avery <brian.avery@intel.com>
Signed-off-by: Michael Wood <michael.g.wood@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'bitbake/lib')
-rw-r--r-- | bitbake/lib/toaster/toastermain/settings.py | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/bitbake/lib/toaster/toastermain/settings.py b/bitbake/lib/toaster/toastermain/settings.py index 3dfa2b2238..aec9dbb925 100644 --- a/bitbake/lib/toaster/toastermain/settings.py +++ b/bitbake/lib/toaster/toastermain/settings.py | |||
@@ -60,9 +60,19 @@ DATABASES = { | |||
60 | if 'sqlite' in DATABASES['default']['ENGINE']: | 60 | if 'sqlite' in DATABASES['default']['ENGINE']: |
61 | DATABASES['default']['OPTIONS'] = { 'timeout': 20 } | 61 | DATABASES['default']['OPTIONS'] = { 'timeout': 20 } |
62 | 62 | ||
63 | # Hosts/domain names that are valid for this site; required if DEBUG is False | 63 | # Update as of django 1.8.16 release, the '*' is needed to allow us to connect while running |
64 | # See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts | 64 | # on hosts without explicitly setting the fqdn for the toaster server. |
65 | ALLOWED_HOSTS = [] | 65 | # See https://docs.djangoproject.com/en/dev/ref/settings/ for info on ALLOWED_HOSTS |
66 | # Previously this setting was not enforced if DEBUG was set but it is now. | ||
67 | # The previous behavior was such that ALLOWED_HOSTS defaulted to ['localhost','127.0.0.1','::1'] | ||
68 | # and if you bound to 0.0.0.0:<port #> then accessing toaster as localhost or fqdn would both work. | ||
69 | # To have that same behavior, with a fqdn explicitly enabled you would set | ||
70 | # ALLOWED_HOSTS= ['localhost','127.0.0.1','::1','myserver.mycompany.com'] for | ||
71 | # Django >= 1.8.16. By default, we are not enforcing this restriction in | ||
72 | # DEBUG mode. | ||
73 | if DEBUG is True: | ||
74 | # this will allow connection via localhost,hostname, or fqdn | ||
75 | ALLOWED_HOSTS = ['*'] | ||
66 | 76 | ||
67 | # Local time zone for this installation. Choices can be found here: | 77 | # Local time zone for this installation. Choices can be found here: |
68 | # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name | 78 | # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name |