2019 年 7 月 1 日
Django 2.2.3 fixes a security issue and several bugs in 2.2.2. Also, the latest string translations from Transifex are incorporated.
CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
When deployed behind a reverse-proxy connecting to Django via HTTPS,
django.http.HttpRequest.scheme
would incorrectly detect client
requests made via HTTP as using HTTPS. This entails incorrect results for
is_secure()
, and
build_absolute_uri()
, and that HTTP
requests would not be redirected to HTTPS in accordance with
SECURE_SSL_REDIRECT
.
HttpRequest.scheme
now respects SECURE_PROXY_SSL_HEADER
, if it is
configured, and the appropriate header is set on the request, for both HTTP and
HTTPS requests.
If you deploy Django behind a reverse-proxy that forwards HTTP requests, and
that connects to Django via HTTPS, be sure to verify that your application
correctly handles code paths relying on scheme
, is_secure()
,
build_absolute_uri()
, and SECURE_SSL_REDIRECT
.
讨论区