django/django/http
Carlton Gibson 54d0f5e62f Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set.
An HTTP request would not be redirected to HTTPS when the
SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if
the proxy connected to Django via HTTPS.

HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if
set, rather than falling back to the request scheme when the
SECURE_PROXY_SSL_HEADER did not have the secure value.

Thanks to Gavin Wahl for the report and initial patch suggestion, and
Shai Berger for review.
2019-07-01 07:48:04 +02:00
..
__init__.py Fixed #26052 -- Moved conditional_content_removal() processing to the test client. 2016-04-25 07:56:07 -04:00
cookie.py Fixed #27863 -- Added support for the SameSite cookie flag. 2018-04-13 20:58:31 -04:00
multipartparser.py Refs #27753 -- Deprecated django.utils.text.unescape_entities(). 2019-05-08 08:00:59 +02:00
request.py Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set. 2019-07-01 07:48:04 +02:00
response.py Fixed #30565 -- Closed HttpResponse when wsgi.file_wrapper closes file-like object. 2019-06-20 11:48:49 +02:00