#16901 closed Uncategorized (wontfix)
Admin: Post save redirect behaves differently since 1.3.1
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | Uncategorized | Version: | 1.3 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
If the django development server sits behind some sort of reverse proxy for example MAMP and therefore the django admin site is used with a virtual host/domain name for example "projectname.dev" the post save 302 redirect goes to 127.0.0.1:8000 instead projectname.dev. This happens if you save any model instance over the admin since 1.3.1. If you go back to 1.3 the 302 uses the correct hostname instead of IP:port address.
Note:
See TracTickets
for help on using tickets.
I believe this is due to the fix for one of the security issues that necessitated the release of 1.3.1 - the possibility of an attacker spoofing the X-Forwarded-Host header and poisoning the cache with pages served with wrong URLs. As mentioned in the security advisory linked from the 1.3.1 release notes, part of the fix for this involved disabling use of the X-Forwarded-Host header by default. You can re-enable it via the USE_X_FORWARDED_HOST setting, which I'm guessing will fix your problem. You should be aware, though, that if your site is ever not behind a proxy that sets and validates the X-Forwarded-Host header, having this setting set to True is a security risk.
Hope that helps - thanks for the report!