Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#16901 closed Uncategorized (wontfix)

Admin: Post save redirect behaves differently since 1.3.1

Reported by: Lenz Hirsch <hirsch@…> Owned by: nobody
Component: Uncategorized Version: 1.3
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If the django development server sits behind some sort of reverse proxy for example MAMP and therefore the django admin site is used with a virtual host/domain name for example "projectname.dev" the post save 302 redirect goes to 127.0.0.1:8000 instead projectname.dev. This happens if you save any model instance over the admin since 1.3.1. If you go back to 1.3 the 302 uses the correct hostname instead of IP:port address.

Change History (2)

comment:1 by Carl Meyer, 13 years ago

Resolution: wontfix
Status: newclosed

I believe this is due to the fix for one of the security issues that necessitated the release of 1.3.1 - the possibility of an attacker spoofing the X-Forwarded-Host header and poisoning the cache with pages served with wrong URLs. As mentioned in the security advisory linked from the 1.3.1 release notes, part of the fix for this involved disabling use of the X-Forwarded-Host header by default. You can re-enable it via the USE_X_FORWARDED_HOST setting, which I'm guessing will fix your problem. You should be aware, though, that if your site is ever not behind a proxy that sets and validates the X-Forwarded-Host header, having this setting set to True is a security risk.

Hope that helps - thanks for the report!

comment:2 by Lenz Hirsch <hirsch@…>, 13 years ago

Thanks a lot!

USE_X_FORWARDED_HOST = True


indeed fixes the problem.

Note: See TracTickets for help on using tickets.
Back to Top