[2.2.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set.

An HTTP request would not be redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if the proxy connected to Django via HTTPS. HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if set, rather than falling back to the request scheme when the SECURE_PROXY_SSL_HEADER did not have the secure value. Thanks to Gavin Wahl for the report and initial patch suggestion, and Shai Berger for review. Backport of 54d0f5e62f from master
2025-11-07 07:15:35 +00:00 · 2019-06-13 10:57:29 +02:00
parent db9f7b44fc
commit 77706a3e47
6 changed files with 85 additions and 9 deletions
--- a/tests/settings_tests/tests.py
+++ b/tests/settings_tests/tests.py
@@ -367,6 +367,18 @@ class SecureProxySslHeaderTest(SimpleTestCase):
        req.META['HTTP_X_FORWARDED_PROTOCOL'] = 'https'
        self.assertIs(req.is_secure(), True)

+    @override_settings(SECURE_PROXY_SSL_HEADER=('HTTP_X_FORWARDED_PROTOCOL', 'https'))
+    def test_xheader_preferred_to_underlying_request(self):
+        class ProxyRequest(HttpRequest):
+            def _get_scheme(self):
+                """Proxy always connecting via HTTPS"""
+                return 'https'
+
+        # Client connects via HTTP.
+        req = ProxyRequest()
+        req.META['HTTP_X_FORWARDED_PROTOCOL'] = 'http'
+        self.assertIs(req.is_secure(), False)
+

 class IsOverriddenTest(SimpleTestCase):
    def test_configure(self):