Changes between Version 1 and Version 2 of Ticket #26419


Ignore:
Timestamp:
Mar 29, 2016, 12:48:08 PM (9 years ago)
Author:
Joshua Pereyda
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #26419 – Description

    v1 v2  
    27274. Maintains the "even under many seemingly-safe web serve configurations" that will hopefully encourage people to use this feature.
    2828
    29 Patch: https://github.com/django/django/pull/6357
     29= Patch =
     30https://github.com/django/django/pull/6357
     31
     32= References =
     331. Current documentation: https://docs.djangoproject.com/en/1.9/ref/settings/#std:setting-ALLOWED_HOSTS
     342. StackExchange question: http://security.stackexchange.com/questions/45687/what-does-djangos-allowed-hosts-variable-actually-do/
     353. Release notes from original introduction: https://www.djangoproject.com/weblog/2013/feb/19/security/#s-issue-host-header-poisoning
     364. (It'd be nice to have a link to the discussion or patch that motivated ALLOWED_HOSTS)
     375. Overview of Practical HTTP Host Header attacks, including an explanation of the Django fix: http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
Back to Top