angler-fishThe Vulnerability History Project

[2.2.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set.

      An HTTP request would not be redirected to HTTPS when the
SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if
the proxy connected to Django via HTTPS.

HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if
set, rather than falling back to the request scheme when the
SECURE_PROXY_SSL_HEADER did not have the secure value.

Thanks to Gavin Wahl for the report and initial patch suggestion, and
Shai Berger for review.

Backport of 54d0f5e62f54c29a12dd96f44bacd810cbe03ac8 from master
by Stephanie the Jack Russel 2019-06-13 08:57:29 UTC
commit 77706a3e4766da5d5fb75c4db22a0a59a28e6cd6
Django Fix CVE-2019-12781
django/http/request.py
+3 -4
docs/ref/settings.txt
+4 -7
docs/releases/1.11.22.txt
-20
docs/releases/2.1.10.txt
-20
docs/releases/2.2.3.txt
+2 -22
tests/settings_tests/tests.py
-12
expand_less