Added protection against spoofing of X_FORWARDED_HOST headers. A security announcement will be made shortly.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16758 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-12-15 21:45:20 +00:00 · 2011-09-10 00:46:38 +00:00 · 2011-09-10 00:46:38 +00:00 · 893cea211a
commit 893cea211a
parent 0516ac3d28
6 changed files with 130 additions and 6 deletions
--- a/docs/ref/request-response.txt
+++ b/docs/ref/request-response.txt
@ -193,10 +193,11 @@ Methods

 .. method:: HttpRequest.get_host()

-    Returns the originating host of the request using information from the
-    ``HTTP_X_FORWARDED_HOST`` and ``HTTP_HOST`` headers (in that order). If
-    they don't provide a value, the method uses a combination of
-    ``SERVER_NAME`` and ``SERVER_PORT`` as detailed in :pep:`3333`.
+    Returns the originating host of the request using information from
+    the ``HTTP_X_FORWARDED_HOST`` (if enabled in the settings) and ``HTTP_HOST``
+    headers (in that order). If they don't provide a value, the method
+    uses a combination of ``SERVER_NAME`` and ``SERVER_PORT`` as
+    detailed in :pep:`3333`.

    Example: ``"127.0.0.1:8000"``

--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@ -2078,6 +2078,19 @@ When :setting:`USE_L10N` is set to ``True`` and if this is also set to
 See also :setting:`DECIMAL_SEPARATOR`, :setting:`NUMBER_GROUPING` and
 :setting:`THOUSAND_SEPARATOR`.

+.. setting:: USE_X_FORWARDED_HOST
+
+USE_X_FORWARDED_HOST
+--------------------
+
+.. versionadded:: 1.3.1
+
+Default: ``False``
+
+A boolean that specifies whether to use the X-Forwarded-Host header in
+preference to the Host header. This should only be enabled if a proxy
+which sets this header is in use.
+
 .. setting:: YEAR_MONTH_FORMAT

 YEAR_MONTH_FORMAT
@ -2135,4 +2148,4 @@ IGNORABLE_404_STARTS
 --------------------

 .. deprecated:: 1.4
-   This setting has been superseded by :setting:`IGNORABLE_404_URLS`.
+   This setting has been superseded by :setting:`IGNORABLE_404_URLS`.
--- a/docs/topics/security.txt
+++ b/docs/topics/security.txt
@ -145,6 +145,23 @@ information is not leaked:

 .. _additional-security-topics:

+Host Headers and Virtual Hosting
+================================
+
+Django uses the Host header provided by the client to construct URLs
+in certain cases. While these values are sanitized to prevent Cross
+Site Scripting attacks, they can be used for Cross-Site Request
+Forgery and cache poisoning attacks in some circumstances. We
+recommend that users of Django ensure their web-server configuration
+always validates incoming HTTP Host headers against the expected host
+name, disallows requests with no Host header, and that the web server
+not be configured with a catch-all virtual host which forwards
+requests to a Django application.
+
+Additionally, as of 1.3.1, Django requires users to explicitly enable
+support for the X-Forwarded-Host header if their configuration
+requires it.
+
 Additional security topics
 ==========================