diff options
| author | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-06-13 10:57:29 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2019-07-01 07:50:48 +0200 |
| commit | 77706a3e4766da5d5fb75c4db22a0a59a28e6cd6 (patch) | |
| tree | e2f3db1e846eb120c839d57872f46f90ef15e1f0 /tests | |
| parent | db9f7b44fcdca18ef26dafaa87575a0745bc86cf (diff) | |
[2.2.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set.
An HTTP request would not be redirected to HTTPS when the
SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if
the proxy connected to Django via HTTPS.
HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if
set, rather than falling back to the request scheme when the
SECURE_PROXY_SSL_HEADER did not have the secure value.
Thanks to Gavin Wahl for the report and initial patch suggestion, and
Shai Berger for review.
Backport of 54d0f5e62f54c29a12dd96f44bacd810cbe03ac8 from master
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/settings_tests/tests.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/tests/settings_tests/tests.py b/tests/settings_tests/tests.py index bfd580b600..d0127db427 100644 --- a/tests/settings_tests/tests.py +++ b/tests/settings_tests/tests.py @@ -367,6 +367,18 @@ class SecureProxySslHeaderTest(SimpleTestCase): req.META['HTTP_X_FORWARDED_PROTOCOL'] = 'https' self.assertIs(req.is_secure(), True) + @override_settings(SECURE_PROXY_SSL_HEADER=('HTTP_X_FORWARDED_PROTOCOL', 'https')) + def test_xheader_preferred_to_underlying_request(self): + class ProxyRequest(HttpRequest): + def _get_scheme(self): + """Proxy always connecting via HTTPS""" + return 'https' + + # Client connects via HTTP. + req = ProxyRequest() + req.META['HTTP_X_FORWARDED_PROTOCOL'] = 'http' + self.assertIs(req.is_secure(), False) + class IsOverriddenTest(SimpleTestCase): def test_configure(self): |