innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity
django1/django/http
History
Carlton Gibson 77706a3e47 [2.2.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set. 
An HTTP request would not be redirected to HTTPS when the
SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if
the proxy connected to Django via HTTPS.

HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if
set, rather than falling back to the request scheme when the
SECURE_PROXY_SSL_HEADER did not have the secure value.

Thanks to Gavin Wahl for the report and initial patch suggestion, and
Shai Berger for review.

Backport of 54d0f5e62f from master
 		2019-07-01 07:50:48 +02:00
..
__init__.py Fixed #26052 -- Moved conditional_content_removal() processing to the test client. 2016-04-25 07:56:07 -04:00
cookie.py Fixed #27863 -- Added support for the SameSite cookie flag. 2018-04-13 20:58:31 -04:00
multipartparser.py Fixed #28930 -- Simplified code with any() and all(). 2017-12-26 17:11:15 -05:00
request.py [2.2.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set. 2019-07-01 07:50:48 +02:00
response.py Normalized spelling of "lowercase" and "lowercased". 2018-09-25 10:30:18 -04:00