[1.10.x] Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True.

This is a security fix.
2025-10-28 16:16:12 +00:00 · 2016-10-17 12:14:49 -04:00
parent 34e10720d8
commit 884e113838
7 changed files with 95 additions and 22 deletions
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -90,14 +90,19 @@ If the ``Host`` header (or ``X-Forwarded-Host`` if
 list, the :meth:`django.http.HttpRequest.get_host()` method will raise
 :exc:`~django.core.exceptions.SuspiciousOperation`.

-When :setting:`DEBUG` is ``True`` or when running tests, host validation is
-disabled; any host will be accepted. Thus it's usually only necessary to set it
-in production.
+When :setting:`DEBUG` is ``True`` and ``ALLOWED_HOSTS`` is empty, the host
+is validated against ``['localhost', '127.0.0.1', '[::1]']``.

 This validation only applies via :meth:`~django.http.HttpRequest.get_host()`;
 if your code accesses the ``Host`` header directly from ``request.META`` you
 are bypassing this security protection.

+.. versionchanged:: 1.10.3
+
+    In older versions, ``ALLOWED_HOSTS`` wasn't checked if ``DEBUG=True``.
+    This was also changed in Django 1.9.11 and 1.8.16 to prevent a
+    DNS rebinding attack.
+
 .. setting:: APPEND_SLASH

 ``APPEND_SLASH``