#26419 closed Cleanup/optimization (fixed)
Description of ALLOWED_HOSTS confusing
| Reported by: | Joshua Pereyda | Owned by: | nobody |
|---|---|---|---|
| Component: | Documentation | Version: | 1.9 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Problem
The documentation has this to say about the purpose of ALLOWED_HOSTS:
This is a security measure to prevent an attacker from poisoning caches and triggering password reset emails with links to malicious hosts by submitting requests with a fake HTTP Host header, which is possible even under many seemingly-safe web server configurations.
For a newcomer, this can be confusing, as evidenced by:
- The necessity of this StackExchange question: http://security.stackexchange.com/q/45687/5997 and
- The initial answer's resorting to past release notes for more information: http://security.stackexchange.com/a/62313/5997
After further research, I found out that this measure prevents HTTP Host Header attacks; detailed write-ups can be found online. Some people (including myself) find this post confusing, at least in part because:
- The single, long sentence makes it confusing for a newcomer.
- Lack of an attack name makes it hard to learn more.
- Several HTTP Host header attacks are strung together in one description, even though not all Host header attacks involve caches or password reset emails.
Note that the description is also at least partially imprecise (see point 3 above).
Proposed Solution
This is a security measure to prevent HTTP Host header attacks, in which an attacker uses malicious HTTP Host header values to inject code, trigger password reset emails, etc. HTTP Host header attacks can exploit the behavior of web applications, web servers, and web caches, even under many seemingly-safe web server configurations.
Benefits
- Breaks up description into more compact sentences to decrease "wat?" factor.
- Provides name of attack so that users can easily learn more.
- More carefully distinguishes the general purpose (prevent HTTP Host header attacks) from specific examples of target (password reset emails) and vector (poisoning caches).
- Maintains the "even under many seemingly-safe web serve configurations" that will hopefully encourage people to use this feature.
Patch
https://github.com/django/django/pull/6357
References
- Current documentation: https://docs.djangoproject.com/en/1.9/ref/settings/#std:setting-ALLOWED_HOSTS
- StackExchange question: http://security.stackexchange.com/questions/45687/what-does-djangos-allowed-hosts-variable-actually-do/
- Release notes from original introduction: https://www.djangoproject.com/weblog/2013/feb/19/security/#s-issue-host-header-poisoning
- (It'd be nice to have a link to the discussion or patch that motivated ALLOWED_HOSTS)
- Overview of Practical HTTP Host Header attacks, including an explanation of the Django fix: http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
Change History (5)
comment:1 by , 9 years ago
| Description: | modified (diff) |
|---|---|
| Has patch: | set |
comment:2 by , 9 years ago
| Description: | modified (diff) |
|---|
comment:3 by , 9 years ago
| Patch needs improvement: | set |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
comment:4 by , 9 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
In f8b31dfd: