Moving ALLOWED_HOSTS to local_settings.

(imported from commit b89c6983fd87ede42954dd84706f999ed0de740d)
2025-11-20 14:38:46 +00:00 · 2015-08-20 23:21:23 -07:00
parent 80651c99cd
commit 59b94a901c
3 changed files with 24 additions and 16 deletions
--- a/zproject/local_settings.py
+++ b/zproject/local_settings.py
@@ -94,6 +94,21 @@ SSO_APPEND_DOMAIN = None
 AUTHENTICATION_BACKENDS = ('zproject.backends.EmailAuthBackend',
                           'zproject.backends.GoogleMobileOauth2Backend')

+# ALLOWED_HOSTS is used by django to determine which addresses
+# Zulip can serve. This is a security measure.
+if TESTING_DEPLOYED:
+    # Allow any hosts for our test instances, to reduce 500 spam
+    ALLOWED_HOSTS = ['*']
+else:
+    # Deployed on zulip.com
+    ALLOWED_HOSTS = ['localhost', '.humbughq.com', '54.214.48.144', '54.213.44.54',
+                     '54.213.41.54', '54.213.44.58', '54.213.44.73',
+                     '54.200.19.65', '54.201.95.104', '54.201.95.206',
+                     '54.201.186.29', '54.200.111.22',
+                     '54.245.120.64', '54.213.44.83', '.zulip.com', '.zulip.net',
+                     'chat.dropboxer.net',
+                     ]
+

 JWT_AUTH_KEYS = {}

--- a/zproject/local_settings_template.py
+++ b/zproject/local_settings_template.py
@@ -43,6 +43,14 @@ DEFAULT_FROM_EMAIL = "Zulip <zulip@example.com>"
 # Messages sent to this address should not be delivered anywhere.
 NOREPLY_EMAIL_ADDRESS = "noreply@example.com"

+# A list of strings representing the host/domain names that this
+# Django site can serve. You should reset it to be a list of
+# domains/IP addresses for your site. This is a security measure to
+# prevent an attacker from poisoning caches and triggering password
+# reset emails with links to malicious hosts by submitting requests
+# with a fake HTTP Host header.
+ALLOWED_HOSTS = ['*']
+
 ### OPTIONAL SETTINGS

 # Controls whether session cookies expire when the browser closes
--- a/zproject/settings.py
+++ b/zproject/settings.py
@@ -87,6 +87,7 @@ else:
    # sample local_settings.py file, with a few exceptions.
    from local_settings_template import *
    EXTERNAL_HOST = 'localhost:9991'
+    ALLOWED_HOSTS = ['localhost']
    AUTHENTICATION_BACKENDS = ('zproject.backends.DevAuthBackend',)
    # Add some of the below if you're testing other backends
    # AUTHENTICATION_BACKENDS = ('zproject.backends.EmailAuthBackend',
@@ -344,22 +345,6 @@ if not DEPLOYED:
    # can query using ./manage.py print_initial_password
    INITIAL_PASSWORD_SALT = get_secret("initial_password_salt")

-if TESTING_DEPLOYED or ENTERPRISE:
-    # XXX we should probably tighten this for ENTERPRISE
-    # Allow any hosts for our test instances, to reduce 500 spam
-    ALLOWED_HOSTS = ['*']
-elif DEPLOYED:
-    # The IP addresses are for app.zulip.{com,net} and staging.zulip.{com,net}
-    ALLOWED_HOSTS = ['localhost', '.humbughq.com', '54.214.48.144', '54.213.44.54',
-                     '54.213.41.54', '54.213.44.58', '54.213.44.73',
-                     '54.200.19.65', '54.201.95.104', '54.201.95.206',
-                     '54.201.186.29', "54.200.111.22",
-                     '54.245.120.64', '54.213.44.83', '.zulip.com', '.zulip.net',
-                     'chat.dropboxer.net',
-                     ]
-else:
-    ALLOWED_HOSTS = ['localhost']
-
 ########################################################################
 # DEFAULT VALUES
 ########################################################################