[PATCH 0/1] toaster: set ALLOWED_HOSTS to *

[PATCH 0/1] toaster: set ALLOWED_HOSTS to *

[brian avery]

Django 1.8.16 now enforces ALOWED_HOSTS even if DEBUG is true.  Therefore,
we need to set the value to '*' to allow us to connect to a toaster instance
from off server.  It is also needed to allow connection to the toaster instance
in certain kinds of containers.

Since the non localhost interface is only bound to if we explicitly start toaster
with webport=0.0.0.0:<port>, this change will not expose additional vulnerablilities.

-Brian

The following changes since commit c3d2df883a9d6d5036277114339673656d89a728:

  oeqa/selftest/kernel.py: Add new file destined for kernel related tests (2016-11-01 10:05:46 +0000)

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib bavery/toaster/fixALLOWED_HOSTexclusionV2
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=bavery/toaster/fixALLOWED_HOSTexclusionV2

brian avery (1):
  toaster: settings.py , set ALLOWED_HOSTS to *

 lib/toaster/toastermain/settings.py | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

--
1.9.1

[PATCH 1/1] toaster: settings.py , set ALLOWED_HOSTS to *

[brian avery]

As of Django 1.8.16, Django is rejecting any HTTP_HOST header that is
not on the ALLOWED_HOST list.  We often need to reference the
toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for
instance, and are hitting the server from a laptop. This change does
reduce  the protection from a DNS rebinding attack, however, if you are
running the toaster server outside a protected network, you should be
using the production instance.

Fixes [YOCTO #10578 ].

Signed-off-by: brian avery <brian.avery@intel.com>
---
 lib/toaster/toastermain/settings.py | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/lib/toaster/toastermain/settings.py b/lib/toaster/toastermain/settings.py
index 3dfa2b2..aec9dbb 100644
--- a/lib/toaster/toastermain/settings.py
+++ b/lib/toaster/toastermain/settings.py
@@ -60,9 +60,19 @@ DATABASES = {
 if 'sqlite' in DATABASES['default']['ENGINE']:
     DATABASES['default']['OPTIONS'] = { 'timeout': 20 }
 
-# Hosts/domain names that are valid for this site; required if DEBUG is False
-# See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts
-ALLOWED_HOSTS = []
+# Update as of django 1.8.16 release, the '*' is needed to allow us to connect while running
+# on hosts without explicitly setting the fqdn for the toaster server.
+# See https://docs.djangoproject.com/en/dev/ref/settings/ for info on ALLOWED_HOSTS
+# Previously this setting was not enforced if DEBUG was set but it is now.
+# The previous behavior was such that ALLOWED_HOSTS defaulted to ['localhost','127.0.0.1','::1']
+# and if you bound to 0.0.0.0:<port #> then accessing toaster as localhost or fqdn would both work.
+# To have that same behavior, with a fqdn explicitly enabled you would set
+# ALLOWED_HOSTS= ['localhost','127.0.0.1','::1','myserver.mycompany.com'] for
+# Django >= 1.8.16. By default, we are not enforcing this restriction in
+# DEBUG mode.
+if DEBUG is True:
+    # this will allow connection via localhost,hostname, or fqdn
+    ALLOWED_HOSTS = ['*']
 
 # Local time zone for this installation. Choices can be found here:
 # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
-- 
1.9.1

Re: [PATCH 0/1] toaster: set ALLOWED_HOSTS to *

[Brian Avery]

[-- Attachment #1: Type: text/plain, Size: 1437 bytes --]

This is V2; bad subject line :(.

-b
an intel employee

On Wed, Nov 2, 2016 at 12:33 PM, brian avery <brian.avery@intel.com> wrote:

> Django 1.8.16 now enforces ALOWED_HOSTS even if DEBUG is true.  Therefore,
> we need to set the value to '*' to allow us to connect to a toaster
> instance
> from off server.  It is also needed to allow connection to the toaster
> instance
> in certain kinds of containers.
>
> Since the non localhost interface is only bound to if we explicitly start
> toaster
> with webport=0.0.0.0:<port>, this change will not expose additional
> vulnerablilities.
>
> -Brian
>
> The following changes since commit c3d2df883a9d6d5036277114339673
> 656d89a728:
>
>   oeqa/selftest/kernel.py: Add new file destined for kernel related tests
> (2016-11-01 10:05:46 +0000)
>
> are available in the git repository at:
>
>   git://git.yoctoproject.org/poky-contrib bavery/toaster/fixALLOWED_
> HOSTexclusionV2
>   http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=
> bavery/toaster/fixALLOWED_HOSTexclusionV2
>
> brian avery (1):
>   toaster: settings.py , set ALLOWED_HOSTS to *
>
>  lib/toaster/toastermain/settings.py | 16 +++++++++++++---
>  1 file changed, 13 insertions(+), 3 deletions(-)
>
> --
> 1.9.1
> --
> _______________________________________________
> toaster mailing list
> toaster@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/toaster
>

[-- Attachment #2: Type: text/html, Size: 2364 bytes --]

Re: [PATCH 0/1] toaster: set ALLOWED_HOSTS to *

[Michael Wood]

Thanks sent upstream and applied to toaster-next

Michael

On 02/11/16 19:39, Brian Avery wrote:
> This is V2; bad subject line :(.
>
> -b
> an intel employee
>
> On Wed, Nov 2, 2016 at 12:33 PM, brian avery <brian.avery@intel.com 
> <mailto:brian.avery@intel.com>> wrote:
>
>     Django 1.8.16 now enforces ALOWED_HOSTS even if DEBUG is true.
>     Therefore,
>     we need to set the value to '*' to allow us to connect to a
>     toaster instance
>     from off server.  It is also needed to allow connection to the
>     toaster instance
>     in certain kinds of containers.
>
>     Since the non localhost interface is only bound to if we
>     explicitly start toaster
>     with webport=0.0.0.0 <http://0.0.0.0>:<port>, this change will not
>     expose additional vulnerablilities.
>
>     -Brian
>
>     The following changes since commit
>     c3d2df883a9d6d5036277114339673656d89a728:
>
>       oeqa/selftest/kernel.py: Add new file destined for kernel
>     related tests (2016-11-01 10:05:46 +0000)
>
>     are available in the git repository at:
>
>       git://git.yoctoproject.org/poky-contrib
>     <http://git.yoctoproject.org/poky-contrib>
>     bavery/toaster/fixALLOWED_HOSTexclusionV2
>     http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=bavery/toaster/fixALLOWED_HOSTexclusionV2
>     <http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=bavery/toaster/fixALLOWED_HOSTexclusionV2>
>
>     brian avery (1):
>       toaster: settings.py , set ALLOWED_HOSTS to *
>
>      lib/toaster/toastermain/settings.py | 16 +++++++++++++---
>      1 file changed, 13 insertions(+), 3 deletions(-)
>
>     --
>     1.9.1
>     --
>     _______________________________________________
>     toaster mailing list
>     toaster@yoctoproject.org <mailto:toaster@yoctoproject.org>
>     https://lists.yoctoproject.org/listinfo/toaster
>     <https://lists.yoctoproject.org/listinfo/toaster>
>
>
>
>