The documentation has this to say about the purpose of ALLOWED_HOSTS:
This is a security measure to prevent an attacker from poisoning caches
and triggering password reset emails with links to malicious hosts by
submitting requests with a fake HTTP Host header, which is possible even
under many seemingly-safe web server configurations.
For a newcomer, this can be confusing, as evidenced by:
1. The necessity of this StackExchange question:
http://security.stackexchange.com/q/45687/5997 and
2. The initial answer's resorting to past release notes for more
information: http://security.stackexchange.com/a/62313/5997
After further research, I found out that this measure prevents HTTP Host
Header attacks; detailed write-ups can be found online. Some people
(including myself) find this post confusing, at least in part because:
1. The single, long sentence makes it confusing for a newcomer.
2. Lack of an attack name makes it hard to learn more.
3. Several HTTP Host header attacks are strung together in one
description, even though not all Host header attacks involve caches or
password reset emails.
Note that the description is also at least partially imprecise (see point
3 above).
= Proposed Solution =
This is a security measure to prevent HTTP Host header attacks, in which
an attacker uses malicious HTTP Host header values to inject code, trigger
password reset emails, etc. HTTP Host header attacks can exploit the
behavior of web applications, web servers, and web caches, even under many
seemingly-safe web server configurations.
Benefits
1. Breaks up description into more compact sentences to decrease "wat?"
factor.
2. Provides name of attack so that users can easily learn more.
3. More carefully distinguishes the general purpose (prevent HTTP Host
header attacks) from specific examples of target (password reset emails)
and vector (poisoning caches).
4. Maintains the "even under many seemingly-safe web serve configurations"
that will hopefully encourage people to use this feature.
--
Ticket URL: <https://code.djangoproject.com/ticket/26419>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
* needs_better_patch: => 0
* has_patch: 0 => 1
* needs_tests: => 0
* needs_docs: => 0
Old description:
New description:
= Problem =
= Proposed Solution =
Patch: https://github.com/django/django/pull/6357
--
--
Ticket URL: <https://code.djangoproject.com/ticket/26419#comment:1>
Old description:
> Patch: https://github.com/django/django/pull/6357
New description:
= Problem =
= Proposed Solution =
= Patch =
https://github.com/django/django/pull/6357
= References =
1. Current documentation:
https://docs.djangoproject.com/en/1.9/ref/settings/#std:setting-
ALLOWED_HOSTS
2. StackExchange question:
http://security.stackexchange.com/questions/45687/what-does-djangos-
allowed-hosts-variable-actually-do/
3. Release notes from original introduction:
https://www.djangoproject.com/weblog/2013/feb/19/security/#s-issue-host-
header-poisoning
4. (It'd be nice to have a link to the discussion or patch that motivated
ALLOWED_HOSTS)
5. Overview of Practical HTTP Host Header attacks, including an
explanation of the Django fix: http://www.skeletonscribe.net/2013/05
/practical-http-host-header-attacks.html
--
--
Ticket URL: <https://code.djangoproject.com/ticket/26419#comment:2>
* needs_better_patch: 0 => 1
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/26419#comment:3>
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"f8b31dfdfc0cf6a516bcbc10c4e2f696ce3a9bda" f8b31dfd]:
{{{
#!CommitTicketReference repository=""
revision="f8b31dfdfc0cf6a516bcbc10c4e2f696ce3a9bda"
Fixed #26419 -- Added a link in ALLOWED_HOSTS docs.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26419#comment:4>
Comment (by Tim Graham <timograham@…>):
In [changeset:"f8b88f6a6bbfec210c2a87b75d2837cbe57f8e42" f8b88f6]:
{{{
#!CommitTicketReference repository=""
revision="f8b88f6a6bbfec210c2a87b75d2837cbe57f8e42"
[1.9.x] Fixed #26419 -- Added a link in ALLOWED_HOSTS docs.
Backport of f8b31dfdfc0cf6a516bcbc10c4e2f696ce3a9bda from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26419#comment:5>