[patchew-devel] Re: [PATCH] use X-Forwarded-Host header in HttpRequest.get_host()/get_port()

• From: Paolo Bonzini <pbonzini@xxxxxxxxxx>
• To: patchew-devel@xxxxxxxxxxxxx, Fam Zheng <famz@xxxxxxxxxx>
• Date: Wed, 28 Feb 2018 16:39:57 +0100

On 28/02/2018 16:13, Fam Zheng wrote:

For the former, I wonder what are the risks to unconditionally do

    ALLOWED_HOSTS = ["*"]

Django documentation says that "a fake Host value can be used for
Cross-Site Request Forgery, cache poisoning attacks, and poisoning links
in emails".

But I agree that it's okay for Patchew to set ALLOWED_HOSTS = ["*"],
with a comment that points to server_name in patchew-server.nginx.conf
as the right place for configuring patchew.

       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Host $host;
       # enable this if and only if you use HTTPS
       # proxy_set_header X-Forwarded-Proto https;
       proxy_set_header Host localhost;

Actually, why not just change this to:

         proxy_set_header Host            $host;

That probably works too.

Paolo

• References:
  • [patchew-devel] [PATCH] use X-Forwarded-Host header in HttpRequest.get_host()/get_port()
    • From: Paolo Bonzini
  • [patchew-devel] Re: [PATCH] use X-Forwarded-Host header in HttpRequest.get_host()/get_port()
    • From: Fam Zheng

Other related posts:

• » [patchew-devel] [PATCH] use X-Forwarded-Host header in HttpRequest.get_host()/get_port()- Paolo Bonzini
• » [patchew-devel] Re: [PATCH] use X-Forwarded-Host header in HttpRequest.get_host()/get_port()- Fam Zheng
• » [patchew-devel] Re: [PATCH] use X-Forwarded-Host header in HttpRequest.get_host()/get_port()- Fam Zheng
• » [patchew-devel] Re: [PATCH] use X-Forwarded-Host header in HttpRequest.get_host()/get_port() - Paolo Bonzini

1. Home
2. patchew-devel
3. Archive
4. 02-2018

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---