summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorCarlton Gibson <carlton.gibson@noumenal.es>2019-06-13 10:57:29 +0200
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2019-07-01 07:50:48 +0200
commit77706a3e4766da5d5fb75c4db22a0a59a28e6cd6 (patch)
treee2f3db1e846eb120c839d57872f46f90ef15e1f0 /docs/ref
parentdb9f7b44fcdca18ef26dafaa87575a0745bc86cf (diff)
[2.2.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set.
An HTTP request would not be redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if the proxy connected to Django via HTTPS. HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if set, rather than falling back to the request scheme when the SECURE_PROXY_SSL_HEADER did not have the secure value. Thanks to Gavin Wahl for the report and initial patch suggestion, and Shai Berger for review. Backport of 54d0f5e62f54c29a12dd96f44bacd810cbe03ac8 from master
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/settings.txt11
1 files changed, 7 insertions, 4 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index d203728e08..9618f1f039 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2224,10 +2224,13 @@ By default, ``is_secure()`` determines if a request is secure by confirming
that a requested URL uses ``https://``. This method is important for Django's
CSRF protection, and it may be used by your own code or third-party apps.
-If your Django app is behind a proxy, though, the proxy may be "swallowing" the
-fact that a request is HTTPS, using a non-HTTPS connection between the proxy
-and Django. In this case, ``is_secure()`` would always return ``False`` -- even
-for requests that were made via HTTPS by the end user.
+If your Django app is behind a proxy, though, the proxy may be "swallowing"
+whether the original request uses HTTPS or not. If there is a non-HTTPS
+connection between the proxy and Django then ``is_secure()`` would always
+return ``False`` -- even for requests that were made via HTTPS by the end user.
+In contrast, if there is an HTTPS connection between the proxy and Django then
+``is_secure()`` would always return ``True`` -- even for requests that were
+made originally via HTTP.
In this situation, configure your proxy to set a custom HTTP header that tells
Django whether the request came in via HTTPS, and set