mirror of
https://github.com/django/django.git
synced 2024-11-30 07:06:18 +01:00
39 lines
1.6 KiB
Plaintext
39 lines
1.6 KiB
Plaintext
==========================
|
|
Django 2.2.3 release notes
|
|
==========================
|
|
|
|
*July 1, 2019*
|
|
|
|
Django 2.2.3 fixes a security issue and several bugs in 2.2.2. Also, the latest
|
|
string translations from Transifex are incorporated.
|
|
|
|
CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
|
|
--------------------------------------------------------------------------------
|
|
|
|
When deployed behind a reverse-proxy connecting to Django via HTTPS,
|
|
:attr:`django.http.HttpRequest.scheme` would incorrectly detect client
|
|
requests made via HTTP as using HTTPS. This entails incorrect results for
|
|
:meth:`~django.http.HttpRequest.is_secure`, and
|
|
:meth:`~django.http.HttpRequest.build_absolute_uri`, and that HTTP
|
|
requests would not be redirected to HTTPS in accordance with
|
|
:setting:`SECURE_SSL_REDIRECT`.
|
|
|
|
``HttpRequest.scheme`` now respects :setting:`SECURE_PROXY_SSL_HEADER`, if it is
|
|
configured, and the appropriate header is set on the request, for both HTTP and
|
|
HTTPS requests.
|
|
|
|
If you deploy Django behind a reverse-proxy that forwards HTTP requests, and
|
|
that connects to Django via HTTPS, be sure to verify that your application
|
|
correctly handles code paths relying on ``scheme``, ``is_secure()``,
|
|
``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``.
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Fixed a regression in Django 2.2 where :class:`~django.db.models.Avg`,
|
|
:class:`~django.db.models.StdDev`, and :class:`~django.db.models.Variance`
|
|
crash with ``filter`` argument (:ticket:`30542`).
|
|
|
|
* Fixed a regression in Django 2.2.2 where auto-reloader crashes with
|
|
``AttributeError``, e.g. when using ``ipdb`` (:ticket:`30588`).
|