From 717b4a2b49ced8e48234baa214dea9cba459ce5c Mon Sep 17 00:00:00 2001
From: Daniel Quinn <code@danielquinn.org>
Date: Tue, 3 Jan 2017 09:52:31 +0000
Subject: [PATCH] Fixes #172

Introduce some creative code around setting of ALLOWED_HOSTS that defaults to ['*'].  Also added PAPERLESS_ALLOWED_HOSTS to paperless.conf.example with an explanation as to what it's for
---
 docs/changelog.rst        | 5 +++++
 paperless.conf.example    | 8 ++++++++
 src/paperless/settings.py | 6 +++++-
 src/paperless/version.py  | 2 +-
 4 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/docs/changelog.rst b/docs/changelog.rst
index fe5d5c314..48898ab22 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -1,6 +1,11 @@
 Changelog
 #########
 
+* 0.3.2
+  * Fix for #172: defaulting ALLOWED_HOSTS to ``["*"]`` and allowing the user
+    to set her own value via ``PAPERLESS_ALLOWED_HOSTS`` should the need
+    arise.
+
 * 0.3.1
   * Added a default value for ``CONVERT_BINARY``
 
diff --git a/paperless.conf.example b/paperless.conf.example
index f03bd2677..6e997cbf7 100644
--- a/paperless.conf.example
+++ b/paperless.conf.example
@@ -92,3 +92,11 @@ PAPERLESS_SHARED_SECRET=""
 # PAPERLESS_CONSUMPTION_DIR.  If you tend to write documents to this directory
 # very slowly, you may want to use a higher value than the default (10).
 # PAPERLESS_CONSUMER_LOOP_TIME=10
+
+# If you're planning on putting Paperless on the open internet, then you
+# really should set this value to the domain name you're using.  Failing to do
+# so leaves you open to XSS attacks.
+# Just remember that this is a comma-separated list, so "example.com" is fine,
+# as is "example.com,www.example.com", but NOT " example.com" or "example.com,"
+#PAPERLESS_ALLOWED_HOSTS="example.com,www.example.com"
+
diff --git a/src/paperless/settings.py b/src/paperless/settings.py
index fb5a4bf80..5514f3b79 100644
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -29,7 +29,11 @@
 
 LOGIN_URL = '/admin/login'
 
-ALLOWED_HOSTS = []
+ALLOWED_HOSTS = ["*"]
+
+_allowed_hosts = os.getenv("PAPERLESS_ALLOWED_HOSTS")
+if allowed_hosts:
+    ALLOWED_HOSTS = _allowed_hosts.split(",")
 
 # Tap paperless.conf if it's available
 if os.path.exists("/etc/paperless.conf"):
diff --git a/src/paperless/version.py b/src/paperless/version.py
index e28fcec5c..ce51f6631 100644
--- a/src/paperless/version.py
+++ b/src/paperless/version.py
@@ -1 +1 @@
-__version__ = (0, 3, 1)
+__version__ = (0, 3, 2)