"Fossies" - the Fresh Open Source Software Archive

Member "Django-1.11.25/docs/releases/1.11.22.txt" (1 Oct 2019, 1195 Bytes) of package /linux/www/Django-1.11.25.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 ============================
    2 Django 1.11.22 release notes
    3 ============================
    4 
    5 *July 1, 2019*
    6 
    7 Django 1.11.22 fixes a security issue in 1.11.21.
    8 
    9 CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
   10 --------------------------------------------------------------------------------
   11 
   12 When deployed behind a reverse-proxy connecting to Django via HTTPS,
   13 :attr:`django.http.HttpRequest.scheme` would incorrectly detect client
   14 requests made via HTTP as using HTTPS. This entails incorrect results for
   15 :meth:`~django.http.HttpRequest.is_secure`, and
   16 :meth:`~django.http.HttpRequest.build_absolute_uri`, and that HTTP
   17 requests would not be redirected to HTTPS in accordance with
   18 :setting:`SECURE_SSL_REDIRECT`.
   19 
   20 ``HttpRequest.scheme`` now respects :setting:`SECURE_PROXY_SSL_HEADER`, if it
   21 is configured, and the appropriate header is set on the request, for both HTTP
   22 and HTTPS requests.
   23 
   24 If you deploy Django behind a reverse-proxy that forwards HTTP requests, and
   25 that connects to Django via HTTPS, be sure to verify that your application
   26 correctly handles code paths relying on ``scheme``, ``is_secure()``,
   27 ``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``.