django1/docs/releases/2.2.3.txt

==========================
Django 2.2.3 release notes
==========================

*July 1, 2019*

Django 2.2.3 fixes a security issue and several bugs in 2.2.2. Also, the latest
string translations from Transifex are incorporated.

CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
--------------------------------------------------------------------------------

When deployed behind a reverse-proxy connecting to Django via HTTPS,
:attr:`django.http.HttpRequest.scheme` would incorrectly detect client
requests made via HTTP as using HTTPS. This entails incorrect results for
:meth:`~django.http.HttpRequest.is_secure`, and
:meth:`~django.http.HttpRequest.build_absolute_uri`, and that HTTP
requests would not be redirected to HTTPS in accordance with
:setting:`SECURE_SSL_REDIRECT`.

``HttpRequest.scheme`` now respects :setting:`SECURE_PROXY_SSL_HEADER`, if it is
configured, and the appropriate header is set on the request, for both HTTP and
HTTPS requests.

If you deploy Django behind a reverse-proxy that forwards HTTP requests, and
that connects to Django via HTTPS, be sure to verify that your application
correctly handles code paths relying on ``scheme``, ``is_secure()``,
``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``.

Bugfixes
========

* Fixed a regression in Django 2.2 where :class:`~django.db.models.Avg`,
  :class:`~django.db.models.StdDev`, and :class:`~django.db.models.Variance`
  crash with ``filter`` argument (:ticket:`30542`).

* Fixed a regression in Django 2.2.2 where auto-reloader crashes with
  ``AttributeError``, e.g. when using ``ipdb`` (:ticket:`30588`).
Added stub release notes for 2.2.3. 2019-06-05 12:55:12 +08:00			`==========================`
			`Django 2.2.3 release notes`
			`==========================`

Added release date for 2.2.3. 2019-07-01 13:48:45 +08:00			`July 1, 2019`
Added stub release notes for 2.2.3. 2019-06-05 12:55:12 +08:00
Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set. An HTTP request would not be redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if the proxy connected to Django via HTTPS. HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if set, rather than falling back to the request scheme when the SECURE_PROXY_SSL_HEADER did not have the secure value. Thanks to Gavin Wahl for the report and initial patch suggestion, and Shai Berger for review. 2019-06-13 16:57:29 +08:00			`Django 2.2.3 fixes a security issue and several bugs in 2.2.2. Also, the latest`
			`string translations from Transifex are incorporated.`

			`CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS`
			`--------------------------------------------------------------------------------`

			`When deployed behind a reverse-proxy connecting to Django via HTTPS,`
			:attr:`django.http.HttpRequest.scheme` would incorrectly detect client
			`requests made via HTTP as using HTTPS. This entails incorrect results for`
			:meth:`~django.http.HttpRequest.is_secure`, and
			:meth:`~django.http.HttpRequest.build_absolute_uri`, and that HTTP
			`requests would not be redirected to HTTPS in accordance with`
			:setting:`SECURE_SSL_REDIRECT`.

			``HttpRequest.scheme`` now respects :setting:`SECURE_PROXY_SSL_HEADER`, if it is
			`configured, and the appropriate header is set on the request, for both HTTP and`
			`HTTPS requests.`

			`If you deploy Django behind a reverse-proxy that forwards HTTP requests, and`
			`that connects to Django via HTTPS, be sure to verify that your application`
			correctly handles code paths relying on ``scheme``, ``is_secure()``,
			``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``.
Added stub release notes for 2.2.3. 2019-06-05 12:55:12 +08:00
			`Bugfixes`
			`========`

Fixed #30542 -- Fixed crash of numerical aggregations with filter. Filters in annotations crashed when used with numerical-type aggregations (i.e. Avg, StdDev, and Variance). This was caused as the source expressions no not necessarily have an output_field (such as the filter field), which lead to an AttributeError: 'WhereNode' object has no attribute output_field. Thanks to Chuan-Zheng Lee for the report. Regression in c690afb873cac8035a3cb3be7c597a5ff0e4b261 and two following commits. 2019-06-04 15:01:16 +08:00			* Fixed a regression in Django 2.2 where :class:`~django.db.models.Avg`,
			:class:`~django.db.models.StdDev`, and :class:`~django.db.models.Variance`
			crash with ``filter`` argument (:ticket:`30542`).
Fixed #30588 -- Fixed crash of autoreloader when __main__ module doesn't have __file__ attribute. 2019-06-26 12:44:10 +08:00
			`* Fixed a regression in Django 2.2.2 where auto-reloader crashes with`
			``AttributeError``, e.g. when using ``ipdb`` (:ticket:`30588`).