diff options
| author | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-06-13 10:57:29 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2019-07-01 07:48:04 +0200 |
| commit | 54d0f5e62f54c29a12dd96f44bacd810cbe03ac8 (patch) | |
| tree | c8ccf1b4aa9c140a56f61e844723f5ff89ae9b5c /django/http/request.py | |
| parent | 30b3ee9d0b33bb440f9c73d1ce9e0e7303887a9f (diff) | |
| download | django-54d0f5e62f54c29a12dd96f44bacd810cbe03ac8.tar.gz | |
Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set.
An HTTP request would not be redirected to HTTPS when the
SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if
the proxy connected to Django via HTTPS.
HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if
set, rather than falling back to the request scheme when the
SECURE_PROXY_SSL_HEADER did not have the secure value.
Thanks to Gavin Wahl for the report and initial patch suggestion, and
Shai Berger for review.
Diffstat (limited to 'django/http/request.py')
| -rw-r--r-- | django/http/request.py | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/django/http/request.py b/django/http/request.py index 804db6bf66..98a51f57c8 100644 --- a/django/http/request.py +++ b/django/http/request.py @@ -226,13 +226,14 @@ class HttpRequest: def scheme(self): if settings.SECURE_PROXY_SSL_HEADER: try: - header, value = settings.SECURE_PROXY_SSL_HEADER + header, secure_value = settings.SECURE_PROXY_SSL_HEADER except ValueError: raise ImproperlyConfigured( 'The SECURE_PROXY_SSL_HEADER setting must be a tuple containing two values.' ) - if self.META.get(header) == value: - return 'https' + header_value = self.META.get(header) + if header_value is not None: + return 'https' if header_value == secure_value else 'http' return self._get_scheme() def is_secure(self): |