mirror of
https://github.com/django/django.git
synced 2024-11-29 22:56:46 +01:00
54d0f5e62f
An HTTP request would not be redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if the proxy connected to Django via HTTPS. HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if set, rather than falling back to the request scheme when the SECURE_PROXY_SSL_HEADER did not have the secure value. Thanks to Gavin Wahl for the report and initial patch suggestion, and Shai Berger for review.
28 lines
1.2 KiB
Plaintext
28 lines
1.2 KiB
Plaintext
============================
|
|
Django 1.11.22 release notes
|
|
============================
|
|
|
|
*July 1, 2019*
|
|
|
|
Django 1.11.22 fixes a security issue in 1.11.21.
|
|
|
|
CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
|
|
--------------------------------------------------------------------------------
|
|
|
|
When deployed behind a reverse-proxy connecting to Django via HTTPS,
|
|
:attr:`django.http.HttpRequest.scheme` would incorrectly detect client
|
|
requests made via HTTP as using HTTPS. This entails incorrect results for
|
|
:meth:`~django.http.HttpRequest.is_secure`, and
|
|
:meth:`~django.http.HttpRequest.build_absolute_uri`, and that HTTP
|
|
requests would not be redirected to HTTPS in accordance with
|
|
:setting:`SECURE_SSL_REDIRECT`.
|
|
|
|
``HttpRequest.scheme`` now respects :setting:`SECURE_PROXY_SSL_HEADER`, if it
|
|
is configured, and the appropriate header is set on the request, for both HTTP
|
|
and HTTPS requests.
|
|
|
|
If you deploy Django behind a reverse-proxy that forwards HTTP requests, and
|
|
that connects to Django via HTTPS, be sure to verify that your application
|
|
correctly handles code paths relying on ``scheme``, ``is_secure()``,
|
|
``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``.
|