Moving ALLOWED_HOSTS to local_settings.

(imported from commit b89c6983fd87ede42954dd84706f999ed0de740d)

zproject/local_settings.py

@@ -94,6 +94,21 @@ SSO_APPEND_DOMAIN = None
 AUTHENTICATION_BACKENDS = ('zproject.backends.EmailAuthBackend',
                            'zproject.backends.GoogleMobileOauth2Backend')
 
+# ALLOWED_HOSTS is used by django to determine which addresses
+# Zulip can serve. This is a security measure.
+if TESTING_DEPLOYED:
+    # Allow any hosts for our test instances, to reduce 500 spam
+    ALLOWED_HOSTS = ['*']
+else:
+    # Deployed on zulip.com
+    ALLOWED_HOSTS = ['localhost', '.humbughq.com', '54.214.48.144', '54.213.44.54',
+                     '54.213.41.54', '54.213.44.58', '54.213.44.73',
+                     '54.200.19.65', '54.201.95.104', '54.201.95.206',
+                     '54.201.186.29', '54.200.111.22',
+                     '54.245.120.64', '54.213.44.83', '.zulip.com', '.zulip.net',
+                     'chat.dropboxer.net',
+                     ]
+
 
 JWT_AUTH_KEYS = {}
 

zproject/local_settings_template.py

@@ -43,6 +43,14 @@ DEFAULT_FROM_EMAIL = "Zulip <zulip@example.com>"
 # Messages sent to this address should not be delivered anywhere.
 NOREPLY_EMAIL_ADDRESS = "noreply@example.com"
 
+# A list of strings representing the host/domain names that this
+# Django site can serve. You should reset it to be a list of
+# domains/IP addresses for your site. This is a security measure to
+# prevent an attacker from poisoning caches and triggering password
+# reset emails with links to malicious hosts by submitting requests
+# with a fake HTTP Host header.
+ALLOWED_HOSTS = ['*']
+
 ### OPTIONAL SETTINGS
 
 # Controls whether session cookies expire when the browser closes

zproject/settings.py

@@ -87,6 +87,7 @@ else:
     # sample local_settings.py file, with a few exceptions.
     from local_settings_template import *
     EXTERNAL_HOST = 'localhost:9991'
+    ALLOWED_HOSTS = ['localhost']
     AUTHENTICATION_BACKENDS = ('zproject.backends.DevAuthBackend',)
     # Add some of the below if you're testing other backends
     # AUTHENTICATION_BACKENDS = ('zproject.backends.EmailAuthBackend',
@@ -344,22 +345,6 @@ if not DEPLOYED:
     # can query using ./manage.py print_initial_password
     INITIAL_PASSWORD_SALT = get_secret("initial_password_salt")
 
-if TESTING_DEPLOYED or ENTERPRISE:
-    # XXX we should probably tighten this for ENTERPRISE
-    # Allow any hosts for our test instances, to reduce 500 spam
-    ALLOWED_HOSTS = ['*']
-elif DEPLOYED:
-    # The IP addresses are for app.zulip.{com,net} and staging.zulip.{com,net}
-    ALLOWED_HOSTS = ['localhost', '.humbughq.com', '54.214.48.144', '54.213.44.54',
-                     '54.213.41.54', '54.213.44.58', '54.213.44.73',
-                     '54.200.19.65', '54.201.95.104', '54.201.95.206',
-                     '54.201.186.29', "54.200.111.22",
-                     '54.245.120.64', '54.213.44.83', '.zulip.com', '.zulip.net',
-                     'chat.dropboxer.net',
-                     ]
-else:
-    ALLOWED_HOSTS = ['localhost']
-
 ########################################################################
 # DEFAULT VALUES
 ########################################################################