1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
From: Chris Lamb <lamby@debian.org>
Date: Tue, 2 Jul 2019 23:02:23 -0300
Subject: CVE-2019-12781
Backport of https://github.com/django/django/commit/32124fc41e75074141b05f10fc55a4f01ff7f050
---
django/http/request.py | 7 ++++---
tests/settings_tests/tests.py | 12 ++++++++++++
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/django/http/request.py b/django/http/request.py
index 8c32af5..87b4fca 100644
--- a/django/http/request.py
+++ b/django/http/request.py
@@ -199,13 +199,14 @@ class HttpRequest(object):
def scheme(self):
if settings.SECURE_PROXY_SSL_HEADER:
try:
- header, value = settings.SECURE_PROXY_SSL_HEADER
+ header, secure_value = settings.SECURE_PROXY_SSL_HEADER
except ValueError:
raise ImproperlyConfigured(
'The SECURE_PROXY_SSL_HEADER setting must be a tuple containing two values.'
)
- if self.META.get(header) == value:
- return 'https'
+ header_value = self.META.get(header)
+ if header_value is not None:
+ return 'https' if header_value == secure_value else 'http'
return self._get_scheme()
def is_secure(self):
diff --git a/tests/settings_tests/tests.py b/tests/settings_tests/tests.py
index 97d734e..f0f1fe5 100644
--- a/tests/settings_tests/tests.py
+++ b/tests/settings_tests/tests.py
@@ -419,6 +419,18 @@ class SecureProxySslHeaderTest(SimpleTestCase):
req.META['HTTP_X_FORWARDED_PROTOCOL'] = 'https'
self.assertIs(req.is_secure(), True)
+ @override_settings(SECURE_PROXY_SSL_HEADER=('HTTP_X_FORWARDED_PROTOCOL', 'https'))
+ def test_xheader_preferred_to_underlying_request(self):
+ class ProxyRequest(HttpRequest):
+ def _get_scheme(self):
+ """Proxy always connecting via HTTPS"""
+ return 'https'
+
+ # Client connects via HTTP.
+ req = ProxyRequest()
+ req.META['HTTP_X_FORWARDED_PROTOCOL'] = 'http'
+ self.assertIs(req.is_secure(), False)
+
class IsOverriddenTest(SimpleTestCase):
def test_configure(self):
|
