[2.1.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set. - django.git

diff options

author	Carlton Gibson <carlton.gibson@noumenal.es>	2019-06-13 10:57:29 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2019-07-01 08:24:47 +0200
commit	1e40f427bb8d0fb37cc9f830096a97c36c97af6f (patch)
tree	8f8525e01763ea03bfc8608c8d9475cfa8ab03cc /tests/template_tests/syntax_tests/test_basic.py
parent	87be9c9626014a2754729d6293cb4c86ba294354 (diff)

[2.1.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set.

An HTTP request would not be redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if the proxy connected to Django via HTTPS. HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if set, rather than falling back to the request scheme when the SECURE_PROXY_SSL_HEADER did not have the secure value. Thanks to Gavin Wahl for the report and initial patch suggestion, and Shai Berger for review. Backport of 54d0f5e62f54c29a12dd96f44bacd810cbe03ac8 from master

Diffstat (limited to 'tests/template_tests/syntax_tests/test_basic.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: