[2.0.x] Forwardported 1.11.22 release notes.
This commit is contained in:
Mariusz Felisiak
parent
cf00b5612e
commit
8c85c86922
|
|
@ -0,0 +1,27 @@
|
||||||
|
============================
|
||||||
|
Django 1.11.22 release notes
|
||||||
|
============================
|
||||||
|
|
||||||
|
*July 1, 2019*
|
||||||
|
|
||||||
|
Django 1.11.22 fixes a security issue in 1.11.21.
|
||||||
|
|
||||||
|
CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
When deployed behind a reverse-proxy connecting to Django via HTTPS,
|
||||||
|
:attr:`django.http.HttpRequest.scheme` would incorrectly detect client
|
||||||
|
requests made via HTTP as using HTTPS. This entails incorrect results for
|
||||||
|
:meth:`~django.http.HttpRequest.is_secure`, and
|
||||||
|
:meth:`~django.http.HttpRequest.build_absolute_uri`, and that HTTP
|
||||||
|
requests would not be redirected to HTTPS in accordance with
|
||||||
|
:setting:`SECURE_SSL_REDIRECT`.
|
||||||
|
|
||||||
|
``HttpRequest.scheme`` now respects :setting:`SECURE_PROXY_SSL_HEADER`, if it
|
||||||
|
is configured, and the appropriate header is set on the request, for both HTTP
|
||||||
|
and HTTPS requests.
|
||||||
|
|
||||||
|
If you deploy Django behind a reverse-proxy that forwards HTTP requests, and
|
||||||
|
that connects to Django via HTTPS, be sure to verify that your application
|
||||||
|
correctly handles code paths relying on ``scheme``, ``is_secure()``,
|
||||||
|
``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``.
|
||||||
|
|
@ -45,6 +45,7 @@ versions of the documentation contain the release notes for any later releases.
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
|
1.11.22
|
||||||
1.11.21
|
1.11.21
|
||||||
1.11.20
|
1.11.20
|
||||||
1.11.19
|
1.11.19
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue