django

Author SHA1 Message Date

Author	SHA1	Message	Date
Carlton Gibson	77706a3e47	[2.2.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set. An HTTP request would not be redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if the proxy connected to Django via HTTPS. HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if set, rather than falling back to the request scheme when the SECURE_PROXY_SSL_HEADER did not have the secure value. Thanks to Gavin Wahl for the report and initial patch suggestion, and Shai Berger for review. Backport of `54d0f5e62f` from master	2019-07-01 07:50:48 +02:00
Mariusz Felisiak	db9f7b44fc	[2.2.x] Added stub release notes for security releases. Backport of `30b3ee9d0b` from master	2019-07-01 07:03:03 +02:00

Carlton Gibson

77706a3e47

[2.2.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set.

An HTTP request would not be redirected to HTTPS when the
SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if
the proxy connected to Django via HTTPS.

HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if
set, rather than falling back to the request scheme when the
SECURE_PROXY_SSL_HEADER did not have the secure value.

Thanks to Gavin Wahl for the report and initial patch suggestion, and
Shai Berger for review.

Backport of 54d0f5e62f from master

2019-07-01 07:50:48 +02:00

Mariusz Felisiak

db9f7b44fc

[2.2.x] Added stub release notes for security releases.

Backport of 30b3ee9d0b from master

2019-07-01 07:03:03 +02:00

2 Commits