[PATCH 0/1] [krogoth] toaster: settings.py , add * to ALLOWED_HOSTS

[PATCH 0/1] [krogoth] toaster: settings.py , add * to ALLOWED_HOSTS

[brian avery]

This backports 7c3a47ed8965c3a3eb90a9a4678d5caedbba6337 to krogoth so that
toaster can work with Django (1.8.16).

From the patch to master's message:
As of Django 1.8.16, django is rejecting any HTTP_HOST header that is
not on the ALLOWED_HOST list.  We often need to reference the
toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for
instance, and are hitting the server from a laptop. This change does
reduce  the protection from a DNS rebinding attack, however, if you are
running the toaster server outside a protected network, you need to be
using the production instance.

Fixes [YOCTO #10586 ].



The following changes since commit 3bf928a3b6354bc09c87fcbf9e3972c8d368aaa3:

  dev-manual: Fixed typo for "${INC_PR}.0" (2016-11-16 10:38:24 +0000)

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib bavery/toaster/krogoth-HOSTFIX
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=bavery/toaster/krogoth-HOSTFIX

brian avery (1):
  bitbake: toaster: settings set ALLOWED_HOSTS to * in debug mode

 lib/toaster/toastermain/settings.py | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

--
1.9.1

[PATCH 1/1] bitbake: toaster: settings set ALLOWED_HOSTS to * in debug mode

[brian avery]

This is a backport of 7c3a47ed8965c3a3eb90a9a4678d5caedbba6337

From the commit to master:
As of Django 1.8.16, Django is rejecting any HTTP_HOST header that is
not on the ALLOWED_HOST list.  We often need to reference the toaster
server via a fqdn, if we start it via webport=0.0.0.0:8000 for instance,
and are hitting the server from a laptop. This change does reduce  the
protection from a DNS rebinding attack, however, if you are running the
toaster server outside a protected network, you should be using the
production instance.

[YOCTO #10586]

Signed-off-by: brian avery <brian.avery@intel.com>
---
 lib/toaster/toastermain/settings.py | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/lib/toaster/toastermain/settings.py b/lib/toaster/toastermain/settings.py
index 74ab604..6572acc 100644
--- a/lib/toaster/toastermain/settings.py
+++ b/lib/toaster/toastermain/settings.py
@@ -107,9 +107,19 @@ def getDATABASE_URL():
 
 
 
-# Hosts/domain names that are valid for this site; required if DEBUG is False
-# See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts
-ALLOWED_HOSTS = []
+# Update as of django 1.8.16 release, the '*' is needed to allow us to connect while running
+# on hosts without explicitly setting the fqdn for the toaster server.
+# See https://docs.djangoproject.com/en/dev/ref/settings/ for info on ALLOWED_HOSTS
+# Previously this setting was not enforced if DEBUG was set but it is now.
+# The previous behavior was such that ALLOWED_HOSTS defaulted to ['localhost','127.0.0.1','::1']
+# and if you bound to 0.0.0.0:<port #> then accessing toaster as localhost or fqdn would both work.
+# To have that same behavior, with a fqdn explicitly enabled you would set
+# ALLOWED_HOSTS= ['localhost','127.0.0.1','::1','myserver.mycompany.com'] for
+# Django >= 1.8.16. By default, we are not enforcing this restriction in
+# DEBUG mode.
+if DEBUG is True:
+    # this will allow connection via localhost,hostname, or fqdn
+    ALLOWED_HOSTS = ['*']
 
 # Local time zone for this installation. Choices can be found here:
 # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
-- 
1.9.1

[PATCH 0/1] [krogoth] toaster: settings.py , add * to ALLOWED_HOSTS

[brian avery]

This backports 7c3a47ed8965c3a3eb90a9a4678d5caedbba6337 to krogoth so that
toaster can work with Django (1.8.16).

From the patch to master's message:
As of Django 1.8.16, django is rejecting any HTTP_HOST header that is
not on the ALLOWED_HOST list.  We often need to reference the
toaster server via a fqdn, if we start it via webport=0.0.0.0:8000 for
instance, and are hitting the server from a laptop. This change does
reduce  the protection from a DNS rebinding attack, however, if you are
running the toaster server outside a protected network, you need to be
using the production instance.

Fixes [YOCTO #10586 ].



The following changes since commit 3bf928a3b6354bc09c87fcbf9e3972c8d368aaa3:

  dev-manual: Fixed typo for "${INC_PR}.0" (2016-11-16 10:38:24 +0000)

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib bavery/toaster/krogoth-HOSTFIX
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=bavery/toaster/krogoth-HOSTFIX

brian avery (1):
  bitbake: toaster: settings set ALLOWED_HOSTS to * in debug mode

 lib/toaster/toastermain/settings.py | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

--
1.9.1

[PATCH 1/1] bitbake: toaster: settings set ALLOWED_HOSTS to * in debug mode

[brian avery]

This is a backport of 7c3a47ed8965c3a3eb90a9a4678d5caedbba6337

From the commit to master:
As of Django 1.8.16, Django is rejecting any HTTP_HOST header that is
not on the ALLOWED_HOST list.  We often need to reference the toaster
server via a fqdn, if we start it via webport=0.0.0.0:8000 for instance,
and are hitting the server from a laptop. This change does reduce  the
protection from a DNS rebinding attack, however, if you are running the
toaster server outside a protected network, you should be using the
production instance.

[YOCTO #10586]

Signed-off-by: brian avery <brian.avery@intel.com>
---
 lib/toaster/toastermain/settings.py | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/lib/toaster/toastermain/settings.py b/lib/toaster/toastermain/settings.py
index 74ab604..6572acc 100644
--- a/lib/toaster/toastermain/settings.py
+++ b/lib/toaster/toastermain/settings.py
@@ -107,9 +107,19 @@ def getDATABASE_URL():
 
 
 
-# Hosts/domain names that are valid for this site; required if DEBUG is False
-# See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts
-ALLOWED_HOSTS = []
+# Update as of django 1.8.16 release, the '*' is needed to allow us to connect while running
+# on hosts without explicitly setting the fqdn for the toaster server.
+# See https://docs.djangoproject.com/en/dev/ref/settings/ for info on ALLOWED_HOSTS
+# Previously this setting was not enforced if DEBUG was set but it is now.
+# The previous behavior was such that ALLOWED_HOSTS defaulted to ['localhost','127.0.0.1','::1']
+# and if you bound to 0.0.0.0:<port #> then accessing toaster as localhost or fqdn would both work.
+# To have that same behavior, with a fqdn explicitly enabled you would set
+# ALLOWED_HOSTS= ['localhost','127.0.0.1','::1','myserver.mycompany.com'] for
+# Django >= 1.8.16. By default, we are not enforcing this restriction in
+# DEBUG mode.
+if DEBUG is True:
+    # this will allow connection via localhost,hostname, or fqdn
+    ALLOWED_HOSTS = ['*']
 
 # Local time zone for this installation. Choices can be found here:
 # http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
-- 
1.9.1