Opened 9 years ago

Last modified 9 years ago

#26419 closed Cleanup/optimization

Description of ALLOWED_HOSTS confusing — at Version 2

Reported by: Joshua Pereyda Owned by: nobody
Component: Documentation Version: 1.9
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description (last modified by Joshua Pereyda)

Problem

The documentation has this to say about the purpose of ALLOWED_HOSTS:

This is a security measure to prevent an attacker from poisoning caches and triggering password reset emails with links to malicious hosts by submitting requests with a fake HTTP Host header, which is possible even under many seemingly-safe web server configurations.

For a newcomer, this can be confusing, as evidenced by:

  1. The necessity of this StackExchange question: http://security.stackexchange.com/q/45687/5997 and
  2. The initial answer's resorting to past release notes for more information: http://security.stackexchange.com/a/62313/5997

After further research, I found out that this measure prevents HTTP Host Header attacks; detailed write-ups can be found online. Some people (including myself) find this post confusing, at least in part because:

  1. The single, long sentence makes it confusing for a newcomer.
  2. Lack of an attack name makes it hard to learn more.
  3. Several HTTP Host header attacks are strung together in one description, even though not all Host header attacks involve caches or password reset emails.

Note that the description is also at least partially imprecise (see point 3 above).

Proposed Solution

This is a security measure to prevent HTTP Host header attacks, in which an attacker uses malicious HTTP Host header values to inject code, trigger password reset emails, etc. HTTP Host header attacks can exploit the behavior of web applications, web servers, and web caches, even under many seemingly-safe web server configurations.

Benefits

  1. Breaks up description into more compact sentences to decrease "wat?" factor.
  2. Provides name of attack so that users can easily learn more.
  3. More carefully distinguishes the general purpose (prevent HTTP Host header attacks) from specific examples of target (password reset emails) and vector (poisoning caches).
  4. Maintains the "even under many seemingly-safe web serve configurations" that will hopefully encourage people to use this feature.

Patch

https://github.com/django/django/pull/6357

References

  1. Current documentation: https://docs.djangoproject.com/en/1.9/ref/settings/#std:setting-ALLOWED_HOSTS
  2. StackExchange question: http://security.stackexchange.com/questions/45687/what-does-djangos-allowed-hosts-variable-actually-do/
  3. Release notes from original introduction: https://www.djangoproject.com/weblog/2013/feb/19/security/#s-issue-host-header-poisoning
  4. (It'd be nice to have a link to the discussion or patch that motivated ALLOWED_HOSTS)
  5. Overview of Practical HTTP Host Header attacks, including an explanation of the Django fix: http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html

Change History (2)

comment:1 by Joshua Pereyda, 9 years ago

Description: modified (diff)
Has patch: set

comment:2 by Joshua Pereyda, 9 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top