Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS (CVE-2019-12781)
When deployed behind a reverse-proxy connecting to Django via HTTPS, django.http.HttpRequest.scheme
would incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results for is_secure()
, and build_absolute_uri()
, and that HTTP requests would not be redirected to HTTPS in accordance with SECURE_SSL_REDIRECT
.
Fixed In Version:
Django 2.2.3, Django 2.1.10, Django 1.11.22
Reference:
https://www.djangoproject.com/weblog/2019/jul/01/security-releases/
Patch:
https://github.com/django/django/commit/32124fc41e75074141b05f10fc55a4f01ff7f050
Affected branches:
-
master -
3.10-stable -
3.9-stable -
3.8-stable -
3.7-stable