django/docs/releases/1.11.22.txt

============================
Django 1.11.22 release notes
============================

*July 1, 2019*

Django 1.11.22 fixes a security issue in 1.11.21.

CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
--------------------------------------------------------------------------------

When deployed behind a reverse-proxy connecting to Django via HTTPS,
:attr:`django.http.HttpRequest.scheme` would incorrectly detect client
requests made via HTTP as using HTTPS. This entails incorrect results for
:meth:`~django.http.HttpRequest.is_secure`, and
:meth:`~django.http.HttpRequest.build_absolute_uri`, and that HTTP
requests would not be redirected to HTTPS in accordance with
:setting:`SECURE_SSL_REDIRECT`.

``HttpRequest.scheme`` now respects :setting:`SECURE_PROXY_SSL_HEADER`, if it
is configured, and the appropriate header is set on the request, for both HTTP
and HTTPS requests.

If you deploy Django behind a reverse-proxy that forwards HTTP requests, and
that connects to Django via HTTPS, be sure to verify that your application
correctly handles code paths relying on ``scheme``, ``is_secure()``,
``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``.
Added stub release notes for security releases. 2019-06-20 08:45:38 +00:00			`============================`
			`Django 1.11.22 release notes`
			`============================`

			`July 1, 2019`

			`Django 1.11.22 fixes a security issue in 1.11.21.`
Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set. An HTTP request would not be redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if the proxy connected to Django via HTTPS. HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if set, rather than falling back to the request scheme when the SECURE_PROXY_SSL_HEADER did not have the secure value. Thanks to Gavin Wahl for the report and initial patch suggestion, and Shai Berger for review. 2019-06-13 08:57:29 +00:00
			`CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS`
			`--------------------------------------------------------------------------------`

			`When deployed behind a reverse-proxy connecting to Django via HTTPS,`
			:attr:`django.http.HttpRequest.scheme` would incorrectly detect client
			`requests made via HTTP as using HTTPS. This entails incorrect results for`
			:meth:`~django.http.HttpRequest.is_secure`, and
			:meth:`~django.http.HttpRequest.build_absolute_uri`, and that HTTP
			`requests would not be redirected to HTTPS in accordance with`
			:setting:`SECURE_SSL_REDIRECT`.

			``HttpRequest.scheme`` now respects :setting:`SECURE_PROXY_SSL_HEADER`, if it
			`is configured, and the appropriate header is set on the request, for both HTTP`
			`and HTTPS requests.`

			`If you deploy Django behind a reverse-proxy that forwards HTTP requests, and`
			`that connects to Django via HTTPS, be sure to verify that your application`
			correctly handles code paths relying on ``scheme``, ``is_secure()``,
			``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``.