Added protection against spoofing of X_FORWARDED_HOST headers. A security... (893cea21) · Commits · Dom Sekotill / django

django/conf/global_settings.py

+2 −0

Original line number	Diff line number	Diff line
		@@ -402,6 +402,8 @@ DEFAULT_INDEX_TABLESPACE = ''
		# Default X-Frame-Options header value
		X_FRAME_OPTIONS = 'SAMEORIGIN'

		USE_X_FORWARDED_HOST = False

		##############
		# MIDDLEWARE #
		##############

+2 −1

Original line number	Diff line number	Diff line
		@@ -194,7 +194,8 @@ class HttpRequest(object):
		def get_host(self):
		"""Returns the HTTP host using the environment or request headers."""
		# We try three options, in order of decreasing preference.
		if 'HTTP_X_FORWARDED_HOST' in self.META:
		if settings.USE_X_FORWARDED_HOST and (
		'HTTP_X_FORWARDED_HOST' in self.META):
		host = self.META['HTTP_X_FORWARDED_HOST']
		elif 'HTTP_HOST' in self.META:
		host = self.META['HTTP_HOST']

+5 −4

Original line number	Diff line number	Diff line
		@@ -193,10 +193,11 @@ Methods

		.. method:: HttpRequest.get_host()

		Returns the originating host of the request using information from the
		``HTTP_X_FORWARDED_HOST`` and ``HTTP_HOST`` headers (in that order). If
		they don't provide a value, the method uses a combination of
		``SERVER_NAME`` and ``SERVER_PORT`` as detailed in :pep:`3333`.
		Returns the originating host of the request using information from
		the ``HTTP_X_FORWARDED_HOST`` (if enabled in the settings) and ``HTTP_HOST``
		headers (in that order). If they don't provide a value, the method
		uses a combination of ``SERVER_NAME`` and ``SERVER_PORT`` as
		detailed in :pep:`3333`.

		Example: ``"127.0.0.1:8000"``

+14 −1

Original line number	Diff line number	Diff line
		@@ -2078,6 +2078,19 @@ When :setting:`USE_L10N` is set to ``True`` and if this is also set to
		See also :setting:`DECIMAL_SEPARATOR`, :setting:`NUMBER_GROUPING` and
		:setting:`THOUSAND_SEPARATOR`.

		.. setting:: USE_X_FORWARDED_HOST

		USE_X_FORWARDED_HOST
		--------------------

		.. versionadded:: 1.3.1

		Default: ``False``

		A boolean that specifies whether to use the X-Forwarded-Host header in
		preference to the Host header. This should only be enabled if a proxy
		which sets this header is in use.

		.. setting:: YEAR_MONTH_FORMAT

		YEAR_MONTH_FORMAT

+17 −0

Original line number	Diff line number	Diff line
		@@ -145,6 +145,23 @@ information is not leaked:

		.. _additional-security-topics:

		Host Headers and Virtual Hosting
		================================

		Django uses the Host header provided by the client to construct URLs
		in certain cases. While these values are sanitized to prevent Cross
		Site Scripting attacks, they can be used for Cross-Site Request
		Forgery and cache poisoning attacks in some circumstances. We
		recommend that users of Django ensure their web-server configuration
		always validates incoming HTTP Host headers against the expected host
		name, disallows requests with no Host header, and that the web server
		not be configured with a catch-all virtual host which forwards
		requests to a Django application.

		Additionally, as of 1.3.1, Django requires users to explicitly enable
		support for the X-Forwarded-Host header if their configuration
		requires it.

		Additional security topics
		==========================