django1

Commit Graph

Author	SHA1	Message	Date
Carlton Gibson	54d0f5e62f	Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set. An HTTP request would not be redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if the proxy connected to Django via HTTPS. HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if set, rather than falling back to the request scheme when the SECURE_PROXY_SSL_HEADER did not have the secure value. Thanks to Gavin Wahl for the report and initial patch suggestion, and Shai Berger for review.	2019-07-01 07:48:04 +02:00
Mariusz Felisiak	30b3ee9d0b	Added stub release notes for security releases.	2019-07-01 06:57:27 +02:00

Author

SHA1

Message

Date

Carlton Gibson

54d0f5e62f

Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set.

An HTTP request would not be redirected to HTTPS when the
SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if
the proxy connected to Django via HTTPS.

HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if
set, rather than falling back to the request scheme when the
SECURE_PROXY_SSL_HEADER did not have the secure value.

Thanks to Gavin Wahl for the report and initial patch suggestion, and
Shai Berger for review.

2019-07-01 07:48:04 +02:00

Mariusz Felisiak

30b3ee9d0b

Added stub release notes for security releases.

2019-07-01 06:57:27 +02:00

2 Commits